Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - pakram

Pages: [1]
1
Tech Clinic / HJT Log
« on: February 05, 2006, 06:11:57 PM »
Hi Guestolo,

Sorry for the slow response, been a bust week here. Did what you suggested and below find the following logs, I also placed the Registry Mechanic log as well. Please note I removed my user name in the logs with an "x".

WinPFind Log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX!                 2/2/2006 3:50:56 PM         27262976   C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2                 7/16/2003 11:20:54 AM       41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                1/12/2006 11:32:12 AM       543496     C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2           1/4/2006 7:46:40 PM         2827616    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               1/4/2006 7:46:40 PM         2827616    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 2:56:36 AM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/4/2004 2:56:44 AM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              7/16/2003 11:44:22 AM       1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech                8/4/2004 12:41:38 AM        1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     2/5/2006 12:48:52 PM      S 2048       C:\WINDOWS\bootstat.dat
                     1/29/2006 4:04:06 PM    RH  749        C:\WINDOWS\WindowsShell.Manifest
                     2/3/2006 8:20:32 AM       S 64         C:\WINDOWS\CSC\00000001
                     2/3/2006 8:16:16 AM       S 64         C:\WINDOWS\CSC\00000002
                     1/29/2006 4:04:12 PM     H  65         C:\WINDOWS\Downloaded Program Files\desktop.ini
                     1/29/2006 4:04:52 PM     HS 67         C:\WINDOWS\Fonts\desktop.ini
                     1/29/2006 11:10:42 PM    H  0          C:\WINDOWS\inf\oem6.inf
                     1/29/2006 4:04:12 PM     H  65         C:\WINDOWS\Offline Web Pages\desktop.ini
                     1/29/2006 4:04:30 PM    RHS 727        C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
                     1/30/2006 12:15:40 AM   RHS 305145     C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_10.cab
                     1/30/2006 12:20:30 AM   RHS 68327      C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_11.cab
                     1/29/2006 4:04:30 PM    RHS 19854      C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
                     1/29/2006 4:04:30 PM    RHS 243124     C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
                     1/29/2006 4:09:20 PM     H  229376     C:\WINDOWS\repair\ntuser.dat
                     1/29/2006 4:04:06 PM    RH  749        C:\WINDOWS\system32\cdplayer.exe.manifest
                     1/29/2006 4:04:12 PM    RH  488        C:\WINDOWS\system32\logonui.exe.manifest
                     1/29/2006 4:04:06 PM    RH  749        C:\WINDOWS\system32\ncpa.cpl.manifest
                     1/29/2006 4:04:06 PM    RH  749        C:\WINDOWS\system32\nwc.cpl.manifest
                     1/29/2006 4:04:06 PM    RH  749        C:\WINDOWS\system32\sapi.cpl.manifest
                     2/4/2006 9:09:30 PM      H  35870      C:\WINDOWS\system32\vsconfig.xml
                     1/29/2006 4:04:12 PM    RH  488        C:\WINDOWS\system32\WindowsLogon.manifest
                     1/29/2006 4:04:06 PM    RH  749        C:\WINDOWS\system32\wuaucpl.cpl.manifest
                     2/4/2006 9:06:42 PM      H  4212       C:\WINDOWS\system32\zllictbl.dat
                     1/2/2006 6:09:36 PM       S 11223      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
                     2/5/2006 12:48:44 PM     H  8192       C:\WINDOWS\system32\config\default.LOG
                     2/5/2006 12:49:12 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
                     2/5/2006 12:48:54 PM     H  12288      C:\WINDOWS\system32\config\SECURITY.LOG
                     2/5/2006 12:49:12 PM     H  102400     C:\WINDOWS\system32\config\software.LOG
                     2/5/2006 12:49:00 PM     H  954368     C:\WINDOWS\system32\config\system.LOG
                     1/29/2006 10:30:16 AM    H  1024       C:\WINDOWS\system32\config\TempKey.LOG
                     1/29/2006 10:30:16 AM    H  1024       C:\WINDOWS\system32\config\userdiff.LOG
                     1/29/2006 11:36:56 PM    H  1024       C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
                     1/29/2006 10:31:24 AM    HS 62         C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
                     1/30/2006 12:20:30 AM     S 558        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
                     1/30/2006 12:20:30 AM     S 144        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
                     1/29/2006 10:31:24 AM    HS 62         C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
                     1/29/2006 4:04:32 PM     HS 113        C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
                     1/29/2006 4:04:34 PM     HS 113        C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
                     1/29/2006 4:04:32 PM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
                     1/29/2006 4:04:32 PM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
                     1/29/2006 4:04:34 PM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\41YZKLM7\desktop.ini
                     1/29/2006 4:04:32 PM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LMRS967\desktop.ini
                     1/29/2006 4:04:32 PM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CH67GLYF\desktop.ini
                     1/29/2006 4:04:34 PM     HS 67         C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QJU989OP\desktop.ini
                     1/29/2006 4:04:14 PM     HS 181        C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
                     1/29/2006 10:31:24 AM    HS 62         C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
                     1/29/2006 4:05:20 PM     HS 206        C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
                     1/29/2006 4:05:20 PM     HS 482        C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
                     1/29/2006 4:05:20 PM     HS 348        C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
                     1/29/2006 4:05:20 PM     HS 84         C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
                     1/29/2006 4:05:20 PM     HS 84         C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
                     1/29/2006 9:13:16 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\696564ae-239e-4411-932d-957bab9e8da3
                     1/29/2006 9:13:16 PM     HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
                     1/29/2006 5:20:54 PM     HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bea1c1ec-b046-4f85-be48-0ce0a3022614
                     1/29/2006 5:20:54 PM     HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
                     2/5/2006 12:48:00 PM     H  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/4/2004 2:56:58 AM         68608      C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Dell Computer Corporation      7/9/2004 4:41:00 PM         983040     C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL
Microsoft Corporation          8/4/2004 2:56:58 AM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               11/19/2003 5:48:12 PM       61555      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          7/16/2003 11:26:58 AM       187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          7/16/2003 11:31:48 AM       35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          7/16/2003 11:34:02 AM       36864      C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
SigmaTel Inc.                  7/20/2004 11:14:06 AM       102481     C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          7/16/2003 11:41:52 AM       28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          7/16/2003 11:26:58 AM       187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          7/16/2003 11:31:48 AM       35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          7/16/2003 11:34:02 AM       36864      C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          7/16/2003 11:41:52 AM       28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     2/2/2006 3:36:58 PM         1615       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
                     1/29/2006 4:05:20 PM     HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     1/29/2006 10:31:24 AM    HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
                     1/29/2006 4:05:20 PM     HS 84         C:\Documents and Settings\mxxx mxxxxxx\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
                     1/29/2006 10:31:24 AM    HS 62         C:\Documents and Settings\mxxx mxxxxxx\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = D:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
   {BDA77241-42F6-11d0-85E2-00AA001FE28C}    = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
   {EBDF1F20-C829-11D1-8233-FF20AF3E97A9}    = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
   {BDA77241-42F6-11d0-85E2-00AA001FE28C}    = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
   {EBDF1F20-C829-11D1-8233-FF20AF3E97A9}    = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = D:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
   {EBDF1F20-C829-11D1-8233-FF20AF3E97A9}    = D:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = D:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
   ButtonText    = Research   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Apoint   C:\Program Files\Apoint\Apoint.exe
   RegistryMechanic   
   THGuard   "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
   SunJavaUpdateSched   C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
   vptray   C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
   NeroCheck   C:\WINDOWS\system32\NeroCheck.exe
   Zone Labs Client   D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   ctfmon.exe   C:\WINDOWS\system32\ctfmon.exe
   SpybotSD TeaTimer   D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption   
   legalnoticetext   
   shutdownwithoutlogon   1
   undockwithoutlogon   1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder                  {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn                            {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck                          {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray                           {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
   UPnPMonitor                       {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
    = C:\WINDOWS\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs   


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/5/2006 12:56:48 PM


Post_This:
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Feb 5, 2006 5:54:55 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: DefWatch
Display Name: DefWatch
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\defwatch.exe
State: Running
Process ID: 192
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: ewido security suite control
Display Name: ewido security suite control
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\ewido anti-malware\ewidoctrl.exe
State: Running
Process ID: 216
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: ewido security suite guard
Display Name: ewido security suite guard
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: d:\program files\ewido anti-malware\ewidoguard.exe
State: Running
Process ID: 228
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #4
Service Name: GhostStartService
Display Name: GhostStartService
Start Mode: Manual
Start Name: LocalSystem
Description: Background service to allow Norton Ghost to perform priviledged ...
Service Type: Own Process
Path: d:\progra~1\symantec\norton~1\ghosts~2.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service #5
Service Name: Norton AntiVirus Server
Display Name: Symantec AntiVirus Client
Start Mode: Auto
Start Name: LocalSystem
Description: Provides real-time virus scanning, reporting, and management functionality for Symantec Client ...
Service Type: Own Process
Path: c:\progra~1\symant~1\symant~1\rtvscan.exe
State: Running
Process ID: 536
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #6
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{eb1b680e-7b9b-43a2-9f4a-dc9fe758d6a5}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: WLTRYSVC
Display Name: WLTRYSVC
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\wltrysvc.exe c:\windows\system32\bcmwltry.exe
State: Running
Process ID: 1560
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 91 Win32 services on this machine.
7 were unrecognized.

Script Execution Time: 1.371094 seconds.

Registry Mechanic log:
----------------------------------------------------------------------------------------------------
Registry Mechanic 5.1.0.224
----------------------------------------------------------------------------------------------------
Start of Scan
2/5/2006 12:33:27 PM
Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2900
MEMORY FREE: 177320
MEMORY TOTAL: 523496
VIRTUAL FREE: 2016120
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows XP   5.1 (Build 2600)

----------------------------------------------------------------------------------------------------
Running processes:                      Process ID
----------------------------------------------------------------------------------------------------
[System Process]                        0
System                                  4
smss.exe                                564
csrss.exe                               640
winlogon.exe                            668
services.exe                            716
lsass.exe                               728
ati2evxx.exe                            872
svchost.exe                             884
svchost.exe                             972
svchost.exe                             1012
svchost.exe                             1056
svchost.exe                             1164
spoolsv.exe                             1436
scardsvr.exe                            1476
cisvc.exe                               148
DefWatch.exe                            184
ewidoctrl.exe                           204
ewidoguard.exe                          220
MDM.EXE                                 276
Rtvscan.exe                             420
tcpsvcs.exe                             456
wdfmgr.exe                              528
vsmon.exe                               272
ati2evxx.exe                            820
explorer.exe                            1180
WLTRYSVC.EXE                            1052
BCMWLTRY.EXE                            1272
Apoint.exe                              1664
THGuard.exe                             1676
jusched.exe                             1760
VPTray.exe                              1784
zlclient.exe                            1872
ctfmon.exe                              1980
ApntEx.exe                              1988
TeaTimer.exe                            1508
alg.exe                                 2160
cidaemon.exe                            524
RegMech.exe                             3532
----------------------------------------------------------------------------------------------------
Sections Scanned:
----------------------------------------------------------------------------------------------------

DEEP - 2
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
Value   : CachePath = C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Parsed  : C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache1

DEEP - 3
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
Value   : CachePath = C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache2
Parsed  : C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache2

DEEP - 4
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
Value   : CachePath = C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache3
Parsed  : C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache3

DEEP - 5
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
Value   : CachePath = C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache4
Parsed  : C:\Documents and Settings\mxxx mxxxxxx\Local Settings\Temporary Internet Files\Content.IE5\Cache4

----------------------------------------------------------------------------------------------------
Registry Mechanic 5.1.0.224
----------------------------------------------------------------------------------------------------
End of Scan
2/5/2006 12:34:04 PM
Your System Information :
CPU: Intel Pentium
IE: Internet Explorer 6.0.2900
MEMORY FREE: 177320
MEMORY TOTAL: 523496
VIRTUAL FREE: 2016120
VIRTUAL TOTAL: 2097024
WINDOWS VER: Windows XP   5.1 (Build 2600)

2
Tech Clinic / HJT Log
« on: January 30, 2006, 12:54:45 AM »
Hey Guestolo

Thanks for the quick response. I tried what you suggested already and had the same things show up. I'm thinking it is some type of service running but can't seem to find it in the registry. I know my temp Internet file is empty so I don't understand what's going on. Do you see anything suspicious in the Hijack This log?

3
Tech Clinic / HJT Log
« on: January 29, 2006, 02:26:28 AM »
Hi,
Could you please check my HJT log. A couple days ago I got a few nasty treats....W32.spybot.worm, Trojan Clicker small 101, WinAD(MeidaGateway), and some type of kazza malware. Seemed to get all these in 1 or 2 days. I usually run some type of scan everytime I'm on the comp. I believe I have taken care of most of the nasty things but there still seems to be some odd stuff going on. In addition to the scanners I had running at the time this happened I dwnld a few highly rated freeware scanners and scanned some more.
I am having one particular problem in my Reg. Mechanic scan, I keep getting 4 instances of IE5 cache's {cache1, 2, 3, & 4} all on seperate lines. The source is coming from my temp Internet files which of-course I deleted, as well as the registry values. But everytime I reboot the same ones return. I uninstalled IE & no change.
Sorry to make this so long, just wanted to give you some details.
Any help would be greatly appriciated. Here's my HJT log.

Thank You

Logfile of HijackThis v1.99.1
Scan saved at 1:39:03 AM, on 1/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACUMon.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CiscoSystemTrayIcon] C:\WINDOWS\system32\ACUMon.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Pages: [1]