TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Ziminy13 on August 16, 2006, 01:55:29 AM

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 16, 2006, 01:55:29 AM

Recently when I had to reboot my computer, upon startup it took a full hour to open all the programs that I have set to run on startup.  (Something that usually takes 8-10 seconds)  This happens every time I have a power failure or have to reboot.  Also, when I open some folders under MyComputer, everything onscreen except the wallpaper disappears and then reappears with MyComputer closed.  I cannot use and any files in these folders.  Spybot finds a SYSBUS32 every time I run it.  Even though I fix it each time.  Please help.

Logfile of HijackThis v1.99.1
Scan saved at 2:46:38 AM, on 8/16/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ (http://\"http://www.myspace.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LoginMonitorBHO Class - {23128821-FF38-4B38-82EA-FFC6DF4A7DD1} - C:\WINDOWS\lm6010.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1138560958\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1138560958\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6EA56B3-33F4-4E37-8CB6-58D14A790BC7}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1138560958\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Title: Trojan? Malware? Big problems
Post by: guestolo on August 16, 2006, 07:23:51 AM

Hi Ziminy13, You have more than one AntiVirus software running on your computer
This can cause system instabilities and really reduce the bootup time

I see McAfee's AV>>Avira's AntiVir>>and AVG Antivirus
Having more than one active AV running in the background can do more harm than good

Keep the one your happiest with and uninstall the others
You may want to hold onto AVG, as is has a decent email scanner

Reboot after uninstalling each of the other AV's

When that's done, post a fresh hijackthis log and we'll go from there

+Download and save too desktop
 F-Secure Blacklight(blbeta.exe) (http://\"https://europe.f-secure.com/exclude/blacklight/blbeta.exe\")

    Double click to run blbeta.exe
    * Accept the user agreement.
    * Click Scan.
    * After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log". Please post that log too

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 19, 2006, 01:29:41 AM

Logfile of HijackThis v1.99.1
Scan saved at 2:20:49 AM, on 8/19/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Shawn\Computer_Help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ (http://\"http://www.myspace.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: LoginMonitorBHO Class - {23128821-FF38-4B38-82EA-FFC6DF4A7DD1} - C:\WINDOWS\lm6010.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...,20/McGDMgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - Unknown owner - C:\Program Files\Common Files\AOL\1138560958\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

08/19/06 02:25:47 [Info]: BlackLight Engine 1.0.46 initialized
08/19/06 02:25:47 [Info]: OS: 5.1 build 2600 ()
08/19/06 02:25:47 [Note]: 7019 4
08/19/06 02:25:47 [Note]: 7005 0
08/19/06 02:25:50 [Note]: 7006 0
08/19/06 02:25:50 [Note]: 7011 1368
08/19/06 02:25:50 [Note]: 7026 0
08/19/06 02:25:50 [Note]: 7026 0
08/19/06 02:25:52 [Note]: FSRAW library version 1.7.1019
08/19/06 02:27:12 [Note]: 2000 1006
08/19/06 02:27:45 [Note]: 7007 0

Title: Trojan? Malware? Big problems
Post by: guestolo on August 19, 2006, 09:25:23 AM

I assume that when you went to remove the Anti-Virus from McAfee's
Probably installed by AOL
The firewall software was also removed
Can you do the following

Go to START>>RUN>>type in
services.msc
In the new window that opens, on the right hand side
Double click on and STOP the following service if running
AOL Antivirus Update Service
In the Startup type drop down menu, set to DISABLED
Apply it
Do the same for the next one also

McAfee McShield

Do a System Scan Only with Hijackthis
and put a tick next to the following entries

O2 - BHO: LoginMonitorBHO Class - {23128821-FF38-4B38-82EA-FFC6DF4A7DD1} - C:\WINDOWS\lm6010.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

Close down all other open windows, including this one
Leave Hijackthis open and Click the FIX CHECKED button
Allow to remove and make backups

Reboot the computer afterwards

Back in Windows, we must get a firewall on this system
Go to the following link and install
Sunbelt Kerio Personal Firewall (http://\"http://www.sunbelt-software.com/Kerio.cfm\")
The full version will become a limited free version after 30 days

Afterwards
==Download, install, and update  Ewido anti-spyware (http://\"http://www.ewido.net/en/download/\")[list=1]

• Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Close Ewido. Do not run it yet.
  

==Download and install Windows CleanUp! 4.5.2 (http://\"http://www.stevengould.org/downloads/cleanup/CleanUp452.exe\")
Don't run a scan yet

CleanUp! attempts to delete files from various temporary directories (including download directories/caches),
as well as emptying the Recycle Bins.
If you make a habit of saving files that you wish to keep in any of these places,  they will be deleted when CleanUp! is run.
Please move them too a different location before we run this tool if the above is true
Note: It is generally considered poor practice to use temporary folders or the Recycle Bin to store files you intend to keep.

Print and/or save the rest of these instructions to a text file saved to desktop
This is very important, as I need you too reboot into safe mode without internet connection

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Sign in with your normal user account

Once in safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
Deny this, we want to run the actual cleanup!!
Run this twice please

Ewido Scan

• Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan.  This scan can take quite a while to run, so be prepared.
  
• Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
• Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).

Reboot back to Normal mode

Post back the following please
1. Run Hijackthis again and post back a fresh log
2. Post the whole report from Ewido's

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 20, 2006, 01:24:18 AM

Until this point everything started running better.  After these last steps, I have nothing on my TaskBar except Sunbelt Kerio, and I have a popup from Kerio saying "Dial-up number changed" "Do you permit connection to this dial-up number" with a warning that it could be "faked by some ActiveX component".  When I rebooted windows could not find 5 different files.  And HijackThis does not work.  I deleted and downloaded again, and it still cant find file.  Says to use search, which finds many zipped and non zipped versions of HijackThis, but wont impliment them saying it cant find file.  Here is ewido report scan.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   1:58:40 AM 8/20/2006

 + Scan result:   



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\rundl132.exe -> Trojan.Lineage.afk : Cleaned with backup (quarantined).
C:\Program Files\Common Files\inexplore.pif -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\inexplore.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\0Sy.exe -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\1.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\Debug\DebugProgram.exe -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\EXP10RER.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\exerouter.exe -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\finders.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\smss.exe -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MSCONFIG.COM -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\command.pif -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dxdiag.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\regedit.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rund1132.com -> Trojan.Lmir.avr : Cleaned with backup (quarantined).
[784] C:\WINDOWS\smss.exe -> Trojan.Lmir.avr : Error during cleaning.
C:\WINDOWS\4Sy.exe -> Trojan.Lmir.azn : Cleaned with backup (quarantined).
C:\TODAYZTKING\TODAYZTKING.DLL -> Trojan.WOW.ft : Cleaned with backup (quarantined).


::Report end

If I click "no, hang up" on the Kerio popup, it just pops up again immediately.

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 20, 2006, 01:34:36 AM

I now found that I can not open any other programs on my computer except Email Removed  All the rest cannot find file.  When I ran the cleanup it "freed up" 3.5 megs of info.  Dont know if this tells you anything.  Do I need to reinstall XP Pro and start over, and if I do, will I lose files I have saved of family pics and such?

Zim

Title: Trojan? Malware? Big problems
Post by: guestolo on August 20, 2006, 02:41:45 PM

Let me know if you are able to open this file
From below, download and unzip to your desktop find_stuff.zip
Extract it
Double click on find_stuff.bat
A folder will be placed on desktop called Files
Open the Files folder and post the contents of look1.txt

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 20, 2006, 03:28:23 PM

doesn't exist HKEY_CLASSES_ROOT\file\shell\open\command
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"SoundMan"="SOUNDMAN.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"RaidTool"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1138560958\\ee\\AOLSoftware.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"LXCGCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCGtime.dll,_RunDLLEntry@16"
"lxcgmon.exe"="\"C:\\Program Files\\Lexmark 2300 Series\\lxcgmon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 2300 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"_rx"="C:\\WINDOWS\\command\\rundll32.exe"
"ms"="C:\\Program Files\\Microsoft\\svhost32.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"


[HKEY_CLASSES_ROOT\htmlfile\shell\print\command]
@="rundll32.exe %SystemRoot%\\System32\\mshtml.dll,PrintHTML \"%1\""


[HKEY_CLASSES_ROOT\inffile\shell\Install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]
@="%SystemRoot%\\EXP10RER.com"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\inexplore.com\" %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"


[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
@="rundll32.exe shdocvw.dll,OpenURL %l"


[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="TRACY-UNZO512YV"
"DefaultUserName"="Tracy Boo Major"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="explorer.exe 1"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,2e,65,78,65,00
"LogonType"=dword:00000000
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="Tracy Boo Major"
"AltDefaultDomainName"="TRACY-UNZO512YV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,64,65,70,6c,6f,79,2e,64,6c,6c,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,46,6f,6c,64,65,72,20,52,65,64,69,72,65,63,74,69,6f,6e,\
  2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,73,6b,71,75,6f,74,61,2e,64,6c,6c,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,65,64,6b,63,73,33,32,2e,64,6c,6c,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,70,70,6d,67,6d,74,73,2e,64,6c,6c,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,41,70,70,6c,69,63,61,74,69,6f,6e,20,4d,61,6e,61,67,65,\
  6d,65,6e,74,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,28,4d,73,69,49,6e,73,\
  74,61,6c,6c,65,72,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\inexplore.com\" %1"


[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"


[HKEY_CLASSES_ROOT\.bfc\shellnew]
"Command"="%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\syncui.dll,Briefcase_Create %2!d! %1"

[HKEY_CLASSES_ROOT\.bfc\shellnew\Config]
"NoExtension"=""


[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command]
@="rundll32.exe shell32.dll,Control_RunDLL %1,%*"


[HKEY_CLASSES_ROOT\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"



Title: Trojan? Malware? Big problems
Post by: guestolo on August 22, 2006, 11:00:01 AM

Hi again
Sorry for the delay but I just have family come in from out of town so I've been real busy being a tour guide in my own town  /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

I didn't have you export all the keys I wanted to see, but
Here's what your up against
http://www.sarc.com/avcenter/venc/data/pws...wowcraft.b.html (http://\"http://www.sarc.com/avcenter/venc/data/pwsteal.wowcraft.b.html\")
If your comfortable in the registry, go ahead and follow Symantec's instructions

NOTE: Here is the info that Symantec's recommends
# Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
# In the right pane, delete the value:
"Shell" = "Explorer.exe 1"

That value should read, don't just delete it but rename it too the following if just one entry for Shell is found
"Shell"="Explorer.exe"

+DO NOT disable System restore as recommended by Symantec's, leave it enabled for now

+While navigating to this key
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Also remove the values from the right hand side related to these entries
"_rx"="C:\\WINDOWS\\command\\rundll32.exe"
"ms"="C:\\Program Files\\Microsoft\\svhost32.exe"

Remove the files created and identified  by Symantec's, exact names and file names if found
# %Windir%\smss.exe
# %System%\rundll32.com
# %System%\finder.com
# %Windir%\finder.com
# %System%\command.pif
# %ProgramFiles%\Internet Explorer\iexplore.com
# %ProgramFiles%\Common Files\iexplore.pif
# %Windir%\1.com
# %Windir%\ExERoute.exe
# %System%\MSCONFIG.COM
# %System%\dxdiag.com
# %System%\regedit.com
# %Windir%\Debug\DebugProgram.exe
# %windir%\explorer.com
# C:\MSCONFIG.SYS
Most were already cleaned by Ewido, but take a second look just in case

In addition, remove these 2 files if found
C:\WINDOWS\command\rundll32.exe
C:\Program Files\Microsoft\svhost32.exe
Remember, exact file names in the proper folders

See if you can run Hijackthis after doing the above and post a fresh hijackthis log

If your uncomfortable in the registry, let me know, I can write a fix, I just don't have time for the next couple days

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 22, 2006, 11:27:10 AM

No Problem.  I really appreciate your knowledge and help.  

Comfortable in the Registry.  Well, let's put it this way, I dont even know how to get to it.  

I will do some research and see if I can figure it out.  If not, I'll just leave it until you can write a fix.

Again, Thank you.

Zim

Title: Trojan? Malware? Big problems
Post by: guestolo on August 25, 2006, 09:00:57 AM

Hi again Ziminy13
Did you make any progress?

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 27, 2006, 05:57:18 AM

My computer is barely running.  I hope you have time to deal with it.  I've been too afraid to make mistakes since I really do not know what I am  doing.  Thank you for your time.

Z

Title: Trojan? Malware? Big problems
Post by: guestolo on August 27, 2006, 11:19:40 AM

Can you do the following and let me see the other keys recommended by Symantec's
Plus a couple I added

First.... Delete the 'Files' folder on your desktop and also delete find_stuff.bat and find_stuff.zip

Then redownload find_stuff.zip from below and unzip to desktop

Double click on find_stuff.bat>>when it's done open the new Files folder and post the contents of look1.txt again
Ensure you post the whole contents

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 27, 2006, 07:04:01 PM

doesn't exist HKEY_CLASSES_ROOT\file\shell\open\command
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
doesn't exist HKEY_CLASSES_ROOT\winfiles\defaulticon
doesn't exist HKEY_CLASSES_ROOT\winfiles\shell\open\command
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"SoundMan"="SOUNDMAN.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"RaidTool"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1138560958\\ee\\AOLSoftware.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"LXCGCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCGtime.dll,_RunDLLEntry@16"
"lxcgmon.exe"="\"C:\\Program Files\\Lexmark 2300 Series\\lxcgmon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 2300 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"_rx"="C:\\WINDOWS\\command\\rundll32.exe"
"ms"="C:\\Program Files\\Microsoft\\svhost32.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"


[HKEY_CLASSES_ROOT\htmlfile\shell\print\command]
@="rundll32.exe %SystemRoot%\\System32\\mshtml.dll,PrintHTML \"%1\""


[HKEY_CLASSES_ROOT\inffile\shell\Install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]
@="%SystemRoot%\\EXP10RER.com"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\inexplore.com\" %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"


[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
@="rundll32.exe shdocvw.dll,OpenURL %l"


[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"


[HKEY_CLASSES_ROOT\scriptletfile\Shell\Generate Typelib\command]
@="\"C:\\WINDOWS\\System32\\RUNDLL32.EXE\" C:\\WINDOWS\\System32\\scrobj.dll,GenerateTypeLib \"%1\""


[HKEY_CLASSES_ROOT\telnet\shell\open\command]
@="rundll32.exe url.dll,TelnetProtocolHandler %l"


[HKEY_CLASSES_ROOT\Unknown\shell\openas\command]
@="%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command]
@="rundll32.exe shdocvw.dll,OpenURL %l"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSInfo\ToolSets\MSInfo]
@=""


[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\AOL\\Explorer\\1.2\\AOLExplorer.exe\" -u \"%1\" "


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command]
@="\"C:\\Program Files\\AOL\\Explorer\\1.2\\AOLExplorer.exe\" -u \"%1\" "


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="TRACY-UNZO512YV"
"DefaultUserName"="Tracy Boo Major"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="explorer.exe 1"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,2e,65,78,65,00
"LogonType"=dword:00000000
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="Tracy Boo Major"
"AltDefaultDomainName"="TRACY-UNZO512YV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,64,65,70,6c,6f,79,2e,64,6c,6c,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,46,6f,6c,64,65,72,20,52,65,64,69,72,65,63,74,69,6f,6e,\
  2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,73,6b,71,75,6f,74,61,2e,64,6c,6c,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,65,64,6b,63,73,33,32,2e,64,6c,6c,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,70,70,6d,67,6d,74,73,2e,64,6c,6c,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,41,70,70,6c,69,63,61,74,69,6f,6e,20,4d,61,6e,61,67,65,\
  6d,65,6e,74,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,28,4d,73,69,49,6e,73,\
  74,61,6c,6c,65,72,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000


[HKEY_CLASSES_ROOT\.exe]
@="WindowFiles"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"


[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\""


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\inexplore.com\" %1"


[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"


[HKEY_CLASSES_ROOT\.bfc\shellnew]
"Command"="%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\syncui.dll,Briefcase_Create %2!d! %1"

[HKEY_CLASSES_ROOT\.bfc\shellnew\Config]
"NoExtension"=""


[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command]
@="rundll32.exe shell32.dll,Control_RunDLL %1,%*"


[HKEY_CLASSES_ROOT\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"



Title: Trojan? Malware? Big problems
Post by: guestolo on August 27, 2006, 07:12:17 PM

Just in the process of helping another user
Then let me come back and give me time to look over your reply
I'll post back later

Title: Trojan? Malware? Big problems
Post by: guestolo on August 27, 2006, 11:40:34 PM

Sorry for the delay, just had company
Can you do the following

From the bottom of this reply box
 download and save and then UNZIP to desktop fix.zip
So you now have fix.reg extracted
We'll need it later

Reboot into safe mode

Find and delete those 2 files if you didn't previously

C:\WINDOWS\command\rundll32.exe
C:\Program Files\Microsoft\svhost32.exe

Remember, only delete the files in the Exact folders

Double click on fix.reg and allow to add/merge to the registry at the prompt

reboot back to Normal mode

See if you can get Hijackthis to run
If you can post a fresh hijackthis log

Also, delete the 'Files' folder and then double click on find_stuff.bat
Post the new contents of look1.txt

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 28, 2006, 10:09:27 AM

Deleted the 2 files you suggested.  Also, I downloaded a registry editor and went back to your previous suggestion to rename "Shell" = "explorer1.exe" to "Shell" = "Explorer.exe".   Hijack this and my other programs are running again.  Here are the new logs you requested:

Logfile of HijackThis v1.99.1
Scan saved at 11:05:02 AM, on 8/28/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Shawn\Computer_Help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ (http://\"http://www.myspace.com/\")
F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6EA56B3-33F4-4E37-8CB6-58D14A790BC7}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

doesn't exist HKEY_CLASSES_ROOT\file\shell\open\command
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
doesn't exist HKEY_CLASSES_ROOT\winfiles\defaulticon
doesn't exist HKEY_CLASSES_ROOT\winfiles\shell\open\command
doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif\shell\open\command
-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"SoundMan"="SOUNDMAN.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"RaidTool"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1138560958\\ee\\AOLSoftware.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"LXCGCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCGtime.dll,_RunDLLEntry@16"
"lxcgmon.exe"="\"C:\\Program Files\\Lexmark 2300 Series\\lxcgmon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 2300 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_CLASSES_ROOT\htmlfile\shell\print\command]
@="rundll32.exe %SystemRoot%\\System32\\mshtml.dll,PrintHTML \"%1\""


[HKEY_CLASSES_ROOT\inffile\shell\Install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,45,78,70,6c,6f,72,65,72,2e,65,\
  78,65,00


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"


[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
@="rundll32.exe shdocvw.dll,OpenURL %l"


[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"


[HKEY_CLASSES_ROOT\scriptletfile\Shell\Generate Typelib\command]
@="\"C:\\WINDOWS\\System32\\RUNDLL32.EXE\" C:\\WINDOWS\\System32\\scrobj.dll,GenerateTypeLib \"%1\""


[HKEY_CLASSES_ROOT\telnet\shell\open\command]
@="rundll32.exe url.dll,TelnetProtocolHandler %l"


[HKEY_CLASSES_ROOT\Unknown\shell\openas\command]
@="%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command]
@="rundll32.exe shdocvw.dll,OpenURL %l"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command]
@="rundll32.exe desk.cpl,InstallScreenSaver %l"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSInfo\ToolSets\MSInfo]
@=""


[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\AOL\\Explorer\\1.2\\AOLExplorer.exe\" -u \"%1\" "


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\http\shell\open\command]
@="\"C:\\Program Files\\AOL\\Explorer\\1.2\\AOLExplorer.exe\" -u \"%1\" "


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultDomainName"="TRACY-UNZO512YV"
"DefaultUserName"="Tracy Boo Major"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,6f,67,6f,6e,75,69,2e,65,78,65,00
"LogonType"=dword:00000000
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="Tracy Boo Major"
"AltDefaultDomainName"="TRACY-UNZO512YV"
"Shell"="explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,64,65,70,6c,6f,79,2e,64,6c,6c,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,46,6f,6c,64,65,72,20,52,65,64,69,72,65,63,74,69,6f,6e,\
  2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,73,6b,71,75,6f,74,61,2e,64,6c,6c,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"=hex(2):69,65,64,6b,63,73,33,32,2e,64,6c,6c,00
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,63,65,63,6c,69,2e,64,6c,6c,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,70,70,6d,67,6d,74,73,2e,64,6c,6c,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,41,70,70,6c,69,63,61,74,69,6f,6e,20,4d,61,6e,61,67,65,\
  6d,65,6e,74,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,28,4d,73,69,49,6e,73,\
  74,61,6c,6c,65,72,2c,41,70,70,6c,69,63,61,74,69,6f,6e,29,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,70,74,65,78,74,2e,64,6c,6c,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000


[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"


[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\""


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"


[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"


[HKEY_CLASSES_ROOT\.bfc\shellnew]
"Command"="%SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\syncui.dll,Briefcase_Create %2!d! %1"

[HKEY_CLASSES_ROOT\.bfc\shellnew\Config]
"NoExtension"=""


[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command]
@="rundll32.exe shell32.dll,Control_RunDLL %1,%*"


[HKEY_CLASSES_ROOT\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1"



Title: Trojan? Malware? Big problems
Post by: guestolo on August 28, 2006, 08:54:00 PM

That's looking good
Can you please do the following, let's see if sysbus32 shows up

Download GMER from here:
http://www.gmer.net/gmer.zip (http://\"http://www.gmer.net/gmer.zip\")

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please DO NOT select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

If you're having problems with running GMER.exe, try it in safe mode. This tool works in safe mode. Most other rootkit revealers don't.

If we see No problems we'll just do some final cleanup
Why so far behind on Windows updates?
Is this a legit version of Windows?

EDIT>>There is still some cleaning to do in your log, we'll get it after you post the log from GMER

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 28, 2006, 09:44:05 PM

That's another problem I want to deal with.  A friend of a friend put this computer together for me using parts of my old computer and parts he had me purchase online.  Windows has never been able to install an update, and Windows Media Player doesnt work.  So I'm guessing he installed it wrong or it is illegal.  I have my own disk for XP pro that is legitimate, but do not know how to reinstall using it and not loose my valuable files.

Here is what you asked for:

GMER 1.0.10.10122 - http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit 2006-08-28 22:42:22
Windows 5.1.2600


---- System - GMER 1.0.10 ----

SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwClose
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwCreateFile
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwCreateKey
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwCreateProcess
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwCreateProcessEx
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwCreateThread
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwDeleteFile
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwDeleteKey
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwDeleteValueKey
SSDT    \SystemRoot\system32\drivers\khips.sys                                       ZwLoadDriver
SSDT    \SystemRoot\system32\drivers\khips.sys                                       ZwMapViewOfSection
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwOpenFile
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwOpenKey
SSDT    \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys                        ZwOpenProcess
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwResumeThread
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwSetInformationFile
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwSetValueKey
SSDT    \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys                        ZwTerminateProcess
SSDT    \SystemRoot\system32\drivers\fwdrv.sys                                       ZwWriteFile

---- Devices - GMER 1.0.10 ----

Device  \Driver\fwdrv \Device\FWDRV IRP_MJ_SHUTDOWN                                  [F7B1785A] avgtdi.sys

---- Files - GMER 1.0.10 ----

File    C:\System Volume Information\tracking.log                                    
File    C:\System Volume Information\_restore{01C48ADF-67A0-42AF-AA1A-5995327C9C87}  

---- EOF - GMER 1.0.10 ----

Title: Trojan? Malware? Big problems
Post by: guestolo on August 28, 2006, 10:47:09 PM

Do a "System scan only" with Hijackthis and put a check next to these entries:

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Can you post one more fresh hijackthis log

Have you installed this copy of XP on any other computers?
Or is this a brand new disk you bought?

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on August 29, 2006, 10:21:12 AM

The copy of XP that I bought has been on my last 2 computers.  So this would be the 3rd one if I figure out how to get it on this one.  Is that a problem?  I've been at the same address for all 3 computers.
Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:01 AM, on 8/29/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Shawn\Computer_Help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ (http://\"http://www.myspace.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6EA56B3-33F4-4E37-8CB6-58D14A790BC7}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\System32\lxcgcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Title: Trojan? Malware? Big problems
Post by: guestolo on August 29, 2006, 10:32:33 PM

Typically one copy of WindowsXP for each personal computer
You can contact Microsoft if this is your only computer now and explain your situation
They may be able to help you out

In the meantime, to help prevent malware
Protect yourself against Future Attacks
*Install  SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

                 
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
Setting your AV to Autoupdate is a very smart move

*Keep your Firewall protection enabled
A Firewall is also very important
This provides a line of defense against someone/thing who might try to access your computer without your permission

Update and do scan's with your Anti-Spyware programs on a regular basis

Of course the best prevention is to get ALL latest Service packs and high priorities for Windows
See if Microsoft can help you out

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on September 01, 2006, 06:01:06 PM

Sorry for the delay responding.  I had to take a break from dealing with this piece of .....

It does not take 45 minutes to boot anymore but nothing else has changed

I still cannot open certain folders without EVERYTHING on the desktop disappearing and then reappearing.  So I cannot get to any files in those folders.

Computer is still running slow, in fact the Aquarium screensaver looks like an epileptic.

Any suggestions?

Title: Trojan? Malware? Big problems
Post by: guestolo on September 01, 2006, 11:50:14 PM

Quote

Aquarium screensaver looks like an epileptic

Is this a free download?
Maybe it 's the problem

Let me warn you, I don't keep a topic open to have continuing problems
If this is a new problem you JUST starting experiencing
START A NEW POST
Do not leave an old one open

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on September 02, 2006, 12:21:40 AM

The screensaver was store bought.  There is nothing wrong with it.  It's my computer that cant handle running it.  This is not a new problem.  It is the same 2 problems I have had since the beginning.

1.  The computer is running slow.
2.  When I open some folders everything but the wallpaper disappears and then reappears except the folder is closed.  I cannot get to any of the files in certain folders.

Same problem.

Title: Trojan? Malware? Big problems
Post by: guestolo on September 02, 2006, 12:30:22 AM

Is this a legal version of XP? Woops, no it isn't
I question this since the malware is biting you in the a**

Since you have no Windows updates, have you thought about backing up important files and folders and starting over
Since this isn't a  legal version of XP, get used to it  /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Sorry to be blunt, but seriously, get used to it
I have on my test box

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on September 02, 2006, 01:49:51 AM

I put a legal copy of XP on it now.  Still have the same problems.  Should I start a new thread?

Title: Trojan? Malware? Big problems
Post by: guestolo on September 02, 2006, 10:48:31 AM

I think I was having a bad day yesterday  /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Did you do a clean install on the machine?
Or did you reinstall over the top?

Can I see a fresh hijackthis log please

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on September 08, 2006, 06:44:40 AM

I reinstalled over the top cuz I was told I would not have to reinstall all of my other programs.

I also put SP2 on it and got it updated with about 30 security updates that were recommended.

Logfile of HijackThis v1.99.1
Scan saved at 7:44:17 AM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\lxcgcoms.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6EA56B3-33F4-4E37-8CB6-58D14A790BC7}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\System32\lxcgcoms.exe

Title: Trojan? Malware? Big problems
Post by: guestolo on September 08, 2006, 08:40:45 AM

Did you Defrag after reinstalling over the top and installing all the Critical updates?
How's everything running?

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on September 08, 2006, 09:32:50 AM

Yes, I did a defrag.  It is still running slow.  And I still cant open certain folders without everything disappearing.

Title: Trojan? Malware? Big problems
Post by: guestolo on September 09, 2006, 05:54:45 PM

Sorry, I don't see anything wrong with your log
Download WPFind.zip (http://\"http://download.bleepingcomputer.com/oldtimer/WinPFind.zip\")

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode
copy/paste the whole contents of c:\WinPFind\WinPFind.txt <-this file back here

Title: Trojan? Malware? Big problems
Post by: Ziminy13 on September 11, 2006, 07:19:45 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/11/2006 7:46:17 PM
WinPFind v1.5.0   Folder = C:\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
WSUD                 8/19/2006 11:45:38 PM       75858656   C:\BonusCD.zip ()

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX!                 8/19/2006 10:27:26 PM       38400      C:\WINDOWS\2Sy.exe ()

Checking %System% folder...
WSUD                 2/23/2005 6:10:06 AM        17747968   C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
PEC2                 8/23/2001 8:00:00 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc ()
PEC2                 6/13/2006 5:36:12 PM        620180     C:\WINDOWS\SYSTEM32\DivX.dll (DivX, Inc.)
PECompact2           6/13/2006 5:36:12 PM        620180     C:\WINDOWS\SYSTEM32\DivX.dll (DivX, Inc.)
FSG!                 8/19/2006 10:27:22 PM       106542     C:\WINDOWS\SYSTEM32\Down1(0).exe ()
PTech                6/19/2006 4:19:42 PM        571184     C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2           8/9/2006 3:03:04 PM         8325544    C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack               8/9/2006 3:03:04 PM         8325544    C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD                 8/4/2004 3:56:54 AM         1200128    C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack               8/4/2004 3:56:36 AM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD                 8/4/2004 3:56:58 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor             8/4/2004 3:56:44 AM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync              8/23/2001 8:00:00 AM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech                6/19/2006 4:19:26 PM        304944     C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX!                 9/2/2006 4:23:32 AM         777472     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG!                 9/2/2006 4:23:32 AM         777472     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2                 9/2/2006 4:23:32 AM         777472     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack               9/2/2006 4:23:32 AM         777472     C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PTech                8/4/2004 1:41:38 AM         1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     9/11/2006 7:45:12 PM      S 2048       C:\WINDOWS\bootstat.dat ()
                     9/8/2006 6:46:42 AM      H  54156      C:\WINDOWS\QTFont.qfn ()
                     9/1/2006 11:55:34 PM    RH  749        C:\WINDOWS\WindowsShell.Manifest ()
                     9/1/2006 11:55:40 PM     H  65         C:\WINDOWS\Downloaded Program Files\desktop.ini ()
                     9/1/2006 11:56:30 PM     HS 67         C:\WINDOWS\Fonts\desktop.ini ()
                     9/1/2006 11:55:40 PM     H  65         C:\WINDOWS\occache\desktop.ini ()
                     9/1/2006 11:55:42 PM     H  65         C:\WINDOWS\Offline Web Pages\desktop.ini ()
                     9/1/2006 11:56:06 PM    RHS 242478     C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab ()
                     9/1/2006 11:56:06 PM    RHS 19959      C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab ()
                     9/1/2006 11:56:06 PM    RHS 727        C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab ()
                     9/2/2006 3:46:10 AM     RHS 305145     C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab ()
                     9/2/2006 3:46:58 AM     RHS 68327      C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab ()
                     9/1/2006 11:57:14 PM     H  614400     C:\WINDOWS\repair\ntuser.dat ()
                     9/1/2006 11:55:34 PM    RH  749        C:\WINDOWS\system32\cdplayer.exe.manifest ()
                     9/1/2006 11:55:40 PM    RH  488        C:\WINDOWS\system32\logonui.exe.manifest ()
                     9/1/2006 11:55:34 PM    RH  749        C:\WINDOWS\system32\ncpa.cpl.manifest ()
                     9/1/2006 11:55:34 PM    RH  749        C:\WINDOWS\system32\nwc.cpl.manifest ()
                     9/1/2006 11:55:34 PM    RH  749        C:\WINDOWS\system32\sapi.cpl.manifest ()
                     9/1/2006 11:55:40 PM    RH  488        C:\WINDOWS\system32\WindowsLogon.manifest ()
                     9/1/2006 11:55:34 PM    RH  749        C:\WINDOWS\system32\wuaucpl.cpl.manifest ()
                     7/28/2006 8:16:08 AM      S 23751      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat ()
                     7/27/2006 10:00:28 AM     S 10337      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat ()
                     7/21/2006 5:03:14 AM      S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat ()
                     7/14/2006 12:13:00 PM     S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat ()
                     7/14/2006 11:53:20 AM     S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat ()
                     9/11/2006 7:45:06 PM     H  8192       C:\WINDOWS\system32\config\default.LOG ()
                     9/1/2006 7:29:14 PM      H  0          C:\WINDOWS\system32\config\default.tmp.LOG ()
                     9/11/2006 7:45:22 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG ()
                     9/11/2006 7:45:18 PM     H  24576      C:\WINDOWS\system32\config\SECURITY.LOG ()
                     9/11/2006 7:45:18 PM     H  53248      C:\WINDOWS\system32\config\software.LOG ()
                     9/1/2006 7:29:14 PM      H  0          C:\WINDOWS\system32\config\software.tmp.LOG ()
                     9/11/2006 7:45:18 PM     H  806912     C:\WINDOWS\system32\config\system.LOG ()
                     9/1/2006 7:29:08 PM      H  0          C:\WINDOWS\system32\config\system.tmp.LOG ()
                     9/1/2006 7:29:06 PM      H  1024       C:\WINDOWS\system32\config\TempKey.LOG ()
                     9/1/2006 7:29:16 PM      H  1024       C:\WINDOWS\system32\config\userdiff.LOG ()
                     9/1/2006 11:57:16 PM     H  1024       C:\WINDOWS\system32\config\userdifr.LOG ()
                     9/2/2006 3:18:26 AM      H  1024       C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
                     9/2/2006 3:18:12 AM      HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\09f80c32-da47-48a9-be3d-e654ae9593ef ()
                     9/2/2006 3:18:12 AM      HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
                     8/21/2006 12:20:44 AM    H  43713      C:\WINDOWS\system32\spool\drivers\w32x86\3\lxcghelp.GID ()
                     9/11/2006 7:44:24 PM     H  6          C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
                     8/4/2004 3:56:58 AM         68608      C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
                     2/23/2005 6:10:06 AM        17747968   C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
                     8/4/2004 3:56:58 AM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         135168     C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         129536     C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
                     8/9/2004 6:04:02 AM         73728      C:\WINDOWS\SYSTEM32\ISUSPM.cpl (InstallShield Software Corporation)
                     8/4/2004 3:56:58 AM         68608      C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
                     7/26/2006 3:03:14 AM        49265      C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
                     8/23/2001 8:00:00 AM        187904     C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        36864      C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
                     8/4/2004 3:56:58 AM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
                     5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        36864      C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
                     8/23/2001 8:00:00 AM        28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{00000161-9980-0010-8000-00AA00389B71} -  - CodeBase = http://codecs.microsoft.com/codecs/i386/msaud.cab (http://\"http://codecs.microsoft.com/codecs/i386/msaud.cab\")
{0E5F0222-96B9-11D3-8997-00104BD12D94} - PCPitstop Utility - CodeBase = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (http://\"http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB\")
{33564D57-0000-0010-8000-00AA00389B71} -  - CodeBase = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
{33564D57-9980-0010-8000-00AA00389B71} -  - CodeBase = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (http://\"http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab\")
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -  - CodeBase = https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...83/mcinsctl.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab\")
{A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - InetDownload Class - CodeBase = https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab (http://\"https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab\")
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -  - CodeBase = https://objects.Email (http://\"https://objects.Email\") Removed/mcafee/molbin/share...,20/McGDMgr.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab\")
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab\")
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab\")
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (http://\"http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab\")

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     7/13/2006 10:51:16 AM       1757       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
                     9/1/2006 11:57:08 PM     HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     7/18/2006 12:47:58 AM       305        C:\Documents and Settings\All Users\Application Data\addr_file.html ()
                     9/1/2006 11:30:52 PM     HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
                     1/29/2006 3:58:48 PM        652        C:\Documents and Settings\Tracy Boo Major\Start Menu\Programs\Startup\BHODemon 2.0.lnk ()
                     12/19/2005 10:03:22 AM   HS 84         C:\Documents and Settings\Tracy Boo Major\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
                     1/1/2005 4:32:22 AM      HS 62         C:\Documents and Settings\Tracy Boo Major\Application Data\desktop.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
  \\Start Page - http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home (http://\"http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home\")
  \\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
  \\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
  \\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
  \\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
  \\Start Page - http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
  \\Search Page - http://ie.search.msn.com (http://\"http://ie.search.msn.com\")
  \\Default_Search_URL - http://ie.search.msn.com (http://\"http://ie.search.msn.com\")
  \\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
  \\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
  \\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
  \\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
  \{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
  \{53707962-6F74-2D53-2644-206D7942484F} -  = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
  \{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
  \{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
  \{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
  \{32683183-48a0-441b-a342-7c2a440a9478} -  =  ()
  \{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
  \ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
  \WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
  \WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
  \\NEXTID - 8198
  \\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8193 =
  \\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 = Sun Java Console
  \\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - 8195 = PartyPoker.com
  \\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8197 = Windows Messenger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
  \{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll (Sun Microsystems, Inc.)
  \{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
  \{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - ButtonText: PartyPoker.com = C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
  \{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
  \\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
  \\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression =  ()
  \\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu =  ()
  \\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
  \\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu =  ()
  \\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band =  ()
  \\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts =  ()
  \\{955B7B84-5308-419c-8ED8-0B9CA3C56985} - America Online = C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll (America Online, Inc.)
  \\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
  \\{02A62A55-544C-42CD-8EE0-F364E8338D3D} - Image Previewer = C:\WINDOWS\System32\ShellExtension.dll (SoftTech InterCorp Corporation, http://www.stintercorp.com/) (http://\"http://www.stintercorp.com/)\")
  \\{A464F9AE-3108-4A4B-AA37-F7546589D961} - ShellExtensionPropSheet = C:\WINDOWS\System32\ShellExtension.dll (SoftTech InterCorp Corporation, http://www.stintercorp.com/) (http://\"http://www.stintercorp.com/)\")
  \\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning =  ()
  \\{52B87208-9CCF-42C9-B88E-069281105805} - Trojan Remover Shell Extension = C:\PROGRA~1\TROJAN~1\Trshlex.dll ()
  \\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
  \\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
  \AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
  \ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
  \ImagePreview - {02A62A55-544C-42CD-8EE0-F364E8338D3D} = C:\WINDOWS\System32\ShellExtension.dll (SoftTech InterCorp Corporation, http://www.stintercorp.com/) (http://\"http://www.stintercorp.com/)\")
  \Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
  \ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
  \ImagePreview - {02A62A55-544C-42CD-8EE0-F364E8338D3D} = C:\WINDOWS\System32\ShellExtension.dll (SoftTech InterCorp Corporation, http://www.stintercorp.com/) (http://\"http://www.stintercorp.com/)\")

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
  \AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
  \ImagePreview - {02A62A55-544C-42CD-8EE0-F364E8338D3D} = C:\WINDOWS\System32\ShellExtension.dll (SoftTech InterCorp Corporation, http://www.stintercorp.com/) (http://\"http://www.stintercorp.com/)\")
  \Trojan Remover - {52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\TROJAN~1\Trshlex.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
  \{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  VTTimer - C:\WINDOWS\SYSTEM32\VTTimer.exe (S3 Graphics, Inc.)
  VTTrayp - C:\WINDOWS\SYSTEM32\VTtrayp.exe (S3 Graphics Co., Ltd.)
  RaidTool - C:\Program Files\VIA\RAID\raid_tool.exe (VIA Technologies)
  HostManager - C:\Program Files\Common Files\AOL\1138560958\ee\AOLSoftware.exe (America Online, Inc.)
  SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
  IPHSend - C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe (America Online, Inc.)
  LXCGCATS - rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll ()
  lxcgmon.exe - C:\Program Files\Lexmark 2300 Series\lxcgmon.exe (Lexmark International, Inc.)
  EzPrint - C:\Program Files\Lexmark 2300 Series\ezprint.exe (Lexmark International Inc.)
  FaxCenterServer - C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
  !ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)
  TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
  SoundMan - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
  AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe (GRISOFT, s.r.o.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
  IMAIL   Installed = 1
  MAPI   Installed = 1
  MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
  FreeRAM XP - C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe (YourWare Solutions (tm))

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
  C:\Documents and Settings\Tracy Boo Major\Start Menu\Programs\Startup\BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe (Definitive Solutions, Inc.)
  C:\Documents and Settings\Tracy Boo Major\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
  \\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
  \Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
  \\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
  \\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
  \\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
  \\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
  \\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
  \\{08315C1A-9BA9-4B7C-A432-26885F78DF28} -  = C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoi.vxd ()
  \\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
  \\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
  \\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  \\UserInit = C:\WINDOWS\system32\userinit.exe,
  \\Shell = Explorer.exe
  \\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
  \crypt32chain - crypt32.dll = (Microsoft Corporation)
  \cryptnet - cryptnet.dll = (Microsoft Corporation)
  \cscdll - cscdll.dll = (Microsoft Corporation)
  \ScCertProp - wlnotify.dll = (Microsoft Corporation)
  \Schedule - wlnotify.dll = (Microsoft Corporation)
  \sclgntfy - sclgntfy.dll = (Microsoft Corporation)
  \SensLogn - WlNotify.dll = (Microsoft Corporation)
  \termsrv - wlnotify.dll = (Microsoft Corporation)
  \WgaLogon - WgaLogon.dll = (Microsoft Corporation)
  \wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
  {D7C40092-8986-4427-A0EC-6724D3BA8CC0} -   (Realtek RTL8139/810x Family Fast Ethernet NIC)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
  \000000000001\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
  \000000000002\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
  \000000000003\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
  \000000000004\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
  \000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
  \000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
  \000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
  \000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
  \ipp -  ()
  \msdaipp -  ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»