Author Topic: 3 different pieces of malware :( (Read 2114 times)

weird_c00kie · « **on:** October 09, 2005, 09:04:18 AM »

(1) WIN32.P2P-WORM.ALCAN.A
(2) WORM_MUGLY.I
and
(3) WORM_SDBOT.DAM

AdAware picks up (1) and supposedly removes it, but it comes back everytime i reboot
Pc-Cillin picked up and supposedly quarantined (3) a few days ago (5/10/2005) but i don't think it really got rid of it.
Also, every time windows boots up, i get a message from Pc-Cillin that it found and quarantined (2), but obviously if it comes up every time windows boots up, it's still running loose in my system.

I followed the instructions for getting rid of (1) what were given in this thread: http://www.thetechguide.com/forum/index.php?showtopic=21039

and i followed the instructions for getting rid of (3) given on the trendmicro website, but neither one has helped.
AdAware still picks up (1) and none of the registry entries mentioned in trendmicro's solution for (3) appear in my registry.

on top of all that, ctrl + alt + del no longer brings up the task manager, so it makes it just that much harder to terminate any unwanted processes.

any ideas?!?

this is a brand new system and not too long ago i had a virus wipe out half my hardware including the pricy graphics card, so panic is going to start settling in soon.

i'm running XP if that helps any.

guestolo · « **Reply #1 on:** October 09, 2005, 09:10:53 AM »

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Let this run uninterrupted
Close out after

Restart back to Normal mode
Post the results of the WindPFind.txt located in the WinPFind folder

From my signature below, download and save too a permanent folder Hijackthis 1.99.1
Do a system scan and save log file

Post the whole contents of the log back here

weird_c00kie · « **Reply #2 on:** October 09, 2005, 09:15:09 AM »

i did the wfpfind process thingo just before i created this thread, so here's the log i got from that

==========================================

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
PEC2 9/10/2005 6:58:32 PM 6981273 C:\Program Files\Oxford Dictionary.tr
PTech 9/10/2005 6:58:32 PM 6981273 C:\Program Files\Oxford Dictionary.tr

Checking %WinDir% folder...

Checking %System% folder...
aspack 18/03/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 23/08/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 26/07/2004 12:13:08 PM 200192 C:\WINDOWS\SYSTEM32\LameACM.acm
PECompact2 9/09/2005 1:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/09/2005 1:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 12/02/2002 6:14:12 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 5/09/2005 12:58:38 AM 782848 C:\WINDOWS\SYSTEM32\tentacle.scr
aspack 5/09/2005 12:57:32 AM 1732596 C:\WINDOWS\SYSTEM32\Vector Trance.scr
winsync 23/08/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 24/08/2005 8:22:36 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 24/08/2005 8:22:36 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/10/2005 11:31:44 PM S 2048 C:\WINDOWS\bootstat.dat
24/08/2005 5:27:26 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
24/08/2005 5:27:32 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
24/08/2005 5:27:58 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
16/09/2005 12:10:30 PM H 10820 C:\WINDOWS\Help\Windows.GID
25/08/2005 6:34:58 PM H 0 C:\WINDOWS\inf\oem11.inf
25/08/2005 7:34:42 PM H 0 C:\WINDOWS\inf\oem12.inf
25/08/2005 12:38:46 AM H 0 C:\WINDOWS\LastGood\INF\codecs10.inf
25/08/2005 12:38:46 AM H 0 C:\WINDOWS\LastGood\INF\codecs10.PNF
9/09/2005 3:35:42 PM H 0 C:\WINDOWS\LastGood\INF\d3dx9_25_x86.inf
9/09/2005 3:35:42 PM H 0 C:\WINDOWS\LastGood\INF\d3dx9_25_x86.PNF
25/08/2005 12:38:44 AM H 0 C:\WINDOWS\LastGood\INF\DRM10.inf
25/08/2005 12:38:44 AM H 0 C:\WINDOWS\LastGood\INF\DRM10.PNF
25/08/2005 7:31:58 PM H 0 C:\WINDOWS\LastGood\INF\js56nen.inf
25/08/2005 7:31:58 PM H 0 C:\WINDOWS\LastGood\INF\js56nen.PNF
25/08/2005 7:35:36 PM H 0 C:\WINDOWS\LastGood\INF\kb870669.inf
25/08/2005 7:35:36 PM H 0 C:\WINDOWS\LastGood\INF\kb870669.PNF
5/10/2005 5:27:12 PM H 0 C:\WINDOWS\LastGood\INF\LameACM.inf
5/10/2005 5:27:12 PM H 0 C:\WINDOWS\LastGood\INF\LameACM.PNF
31/08/2005 12:44:38 AM H 0 C:\WINDOWS\LastGood\INF\mp43dmo.inf
31/08/2005 12:44:38 AM H 0 C:\WINDOWS\LastGood\INF\mp43dmo.PNF
25/08/2005 12:39:00 AM H 0 C:\WINDOWS\LastGood\INF\MPCD10.inf
25/08/2005 12:39:00 AM H 0 C:\WINDOWS\LastGood\INF\MPCD10.PNF
25/08/2005 12:38:44 AM H 0 C:\WINDOWS\LastGood\INF\MPPRE10.inf
25/08/2005 12:38:44 AM H 0 C:\WINDOWS\LastGood\INF\MPPRE10.PNF
25/08/2005 12:39:00 AM H 0 C:\WINDOWS\LastGood\INF\MPSTUB10.inf
25/08/2005 12:39:00 AM H 0 C:\WINDOWS\LastGood\INF\MPSTUB10.PNF
25/08/2005 12:37:22 AM H 0 C:\WINDOWS\LastGood\INF\oem11.inf
25/08/2005 12:37:22 AM H 0 C:\WINDOWS\LastGood\INF\oem11.PNF
25/08/2005 6:36:30 PM H 0 C:\WINDOWS\LastGood\INF\oem12.inf
25/08/2005 6:36:30 PM H 0 C:\WINDOWS\LastGood\INF\oem12.PNF
25/08/2005 7:34:44 PM H 0 C:\WINDOWS\LastGood\INF\oem13.inf
25/08/2005 7:34:44 PM H 0 C:\WINDOWS\LastGood\INF\oem13.PNF
29/08/2005 3:12:54 PM H 0 C:\WINDOWS\LastGood\INF\oem14.inf
29/08/2005 3:12:54 PM H 0 C:\WINDOWS\LastGood\INF\oem14.PNF
5/10/2005 5:26:50 PM H 0 C:\WINDOWS\LastGood\INF\oem15.inf
5/10/2005 5:26:50 PM H 0 C:\WINDOWS\LastGood\INF\oem15.PNF
25/08/2005 7:31:58 PM H 0 C:\WINDOWS\LastGood\INF\q318202_win2k.inf
25/08/2005 7:31:58 PM H 0 C:\WINDOWS\LastGood\INF\q318202_win2k.PNF
25/08/2005 7:31:58 PM H 0 C:\WINDOWS\LastGood\INF\q318203_win2k.inf
25/08/2005 7:31:58 PM H 0 C:\WINDOWS\LastGood\INF\q318203_win2k.PNF
25/08/2005 7:34:04 PM H 0 C:\WINDOWS\LastGood\INF\q823353.inf
25/08/2005 7:34:04 PM H 0 C:\WINDOWS\LastGood\INF\q823353.PNF
25/08/2005 7:34:44 PM H 0 C:\WINDOWS\LastGood\INF\q832483_270_winxpx.inf
25/08/2005 7:34:44 PM H 0 C:\WINDOWS\LastGood\INF\q832483_270_winxpx.PNF
25/08/2005 7:31:02 PM H 0 C:\WINDOWS\LastGood\INF\vbs56nen.inf
25/08/2005 7:31:02 PM H 0 C:\WINDOWS\LastGood\INF\vbs56nen.PNF
9/09/2005 3:35:46 PM H 0 C:\WINDOWS\LastGood\INF\wmad.inf
9/09/2005 3:35:46 PM H 0 C:\WINDOWS\LastGood\INF\wmad.PNF
25/08/2005 12:38:50 AM H 0 C:\WINDOWS\LastGood\INF\WMDM10.inf
25/08/2005 12:38:50 AM H 0 C:\WINDOWS\LastGood\INF\WMDM10.PNF
25/08/2005 12:38:46 AM H 0 C:\WINDOWS\LastGood\INF\WMFSDK10.inf
25/08/2005 12:38:46 AM H 0 C:\WINDOWS\LastGood\INF\WMFSDK10.PNF
25/08/2005 12:38:54 AM H 0 C:\WINDOWS\LastGood\INF\WMP10.inf
25/08/2005 12:38:54 AM H 0 C:\WINDOWS\LastGood\INF\WMP10.PNF
25/08/2005 12:39:02 AM H 0 C:\WINDOWS\LastGood\INF\WMSET10.inf
25/08/2005 12:39:02 AM H 0 C:\WINDOWS\LastGood\INF\WMSET10.PNF
25/08/2005 12:38:52 AM H 0 C:\WINDOWS\LastGood\INF\WPD10.inf
25/08/2005 12:38:52 AM H 0 C:\WINDOWS\LastGood\INF\WPD10.PNF
25/08/2005 12:38:52 AM H 0 C:\WINDOWS\LastGood\INF\wpdmtp.inf
25/08/2005 12:38:52 AM H 0 C:\WINDOWS\LastGood\INF\wpdmtp.PNF
24/08/2005 7:57:12 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem10.inf
24/08/2005 7:57:12 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem10.PNF
24/08/2005 7:53:42 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem3.inf
24/08/2005 7:53:42 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem3.PNF
24/08/2005 7:55:08 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
24/08/2005 7:55:08 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
24/08/2005 7:56:44 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem5.inf
24/08/2005 7:56:44 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem5.PNF
24/08/2005 7:56:48 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
24/08/2005 7:56:48 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
24/08/2005 7:56:50 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
24/08/2005 7:56:50 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
24/08/2005 7:56:52 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem8.inf
24/08/2005 7:56:52 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem8.PNF
24/08/2005 7:56:54 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem9.inf
24/08/2005 7:56:54 PM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem9.PNF
24/08/2005 5:27:32 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
24/08/2005 5:27:42 PM RHS 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
25/08/2005 7:35:20 PM RHS 25565 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
25/08/2005 7:35:20 PM RHS 25529 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
25/08/2005 7:35:20 PM RHS 26316 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
25/08/2005 7:35:20 PM RHS 26386 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
25/08/2005 7:35:20 PM RHS 26656 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
24/08/2005 5:27:42 PM RHS 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
25/08/2005 7:35:20 PM RHS 26651 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
25/08/2005 7:35:20 PM RHS 26254 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
25/08/2005 7:35:20 PM RHS 26107 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
25/08/2005 7:35:20 PM RHS 26448 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
25/08/2005 7:35:20 PM RHS 25852 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
24/08/2005 5:27:42 PM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
25/08/2005 7:35:20 PM RHS 26289 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
25/08/2005 7:35:20 PM RHS 26382 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
25/08/2005 7:35:20 PM RHS 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
25/08/2005 7:35:20 PM RHS 25895 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
25/08/2005 7:35:20 PM RHS 26493 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
25/08/2005 7:35:20 PM RHS 26228 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
25/08/2005 7:35:22 PM RHS 26466 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
25/08/2005 7:35:22 PM RHS 26282 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
25/08/2005 7:35:22 PM RHS 26319 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
25/08/2005 7:35:22 PM RHS 26283 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
25/08/2005 7:32:36 PM RHS 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
25/08/2005 7:35:22 PM RHS 26289 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
25/08/2005 7:35:22 PM RHS 26125 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
25/08/2005 7:35:22 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
25/08/2005 7:32:36 PM RHS 27774 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
25/08/2005 7:35:18 PM RHS 26172 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
25/08/2005 7:35:20 PM RHS 25958 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
25/08/2005 7:35:20 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
24/08/2005 5:28:16 PM H 233472 C:\WINDOWS\repair\ntuser.dat
24/08/2005 5:27:26 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
24/08/2005 5:27:32 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
24/08/2005 5:27:26 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
24/08/2005 5:27:26 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
24/08/2005 5:27:26 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
24/08/2005 5:27:32 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
24/08/2005 5:27:26 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
9/10/2005 11:31:42 PM H 8192 C:\WINDOWS\system32\config\default.LOG
9/10/2005 11:31:54 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/10/2005 11:31:44 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
9/10/2005 11:32:50 PM H 143360 C:\WINDOWS\system32\config\software.LOG
9/10/2005 11:31:46 PM H 917504 C:\WINDOWS\system32\config\system.LOG
25/08/2005 2:18:42 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
25/08/2005 2:18:44 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
14/09/2005 11:21:48 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
25/08/2005 2:20:22 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
25/08/2005 2:20:22 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
24/08/2005 5:27:44 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
24/08/2005 5:27:44 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
24/08/2005 5:27:44 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
24/08/2005 5:27:44 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
24/08/2005 5:27:44 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\28P9U7MA\desktop.ini
24/08/2005 5:27:44 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\94DC4VNV\desktop.ini
24/08/2005 5:27:44 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\9X9GBB1F\desktop.ini
24/08/2005 5:27:44 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AOM13874\desktop.ini
24/08/2005 5:27:32 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
25/08/2005 2:20:22 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
24/08/2005 5:28:16 PM HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
24/08/2005 5:28:16 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
24/08/2005 5:28:16 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
24/08/2005 5:28:16 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
24/08/2005 5:28:16 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
25/08/2005 6:35:00 PM RHS 13695 C:\WINDOWS\system32\Restore\filelist.xml
9/10/2005 11:30:42 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 23/08/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 17/11/2004 6:08:06 PM 16162816 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 23/08/2001 10:00:00 PM 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 119808 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/06/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 8/07/2005 6:57:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 23/08/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/08/2005 5:28:16 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
25/08/2005 2:20:22 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
24/08/2005 5:28:16 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
25/08/2005 2:20:22 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AceFTP
   {1EBC3533-B289-409F-9924-B84B3F0717D2}    = C:\PROGRA~1\ACEFTP~1\FTPCntxt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
   {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}    = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
       = C:\Program Files\Trend Micro\Internet Security\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
       = C:\Program Files\Trend Micro\Internet Security\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\AceFTP
   {1EBC3533-B289-409F-9924-B84B3F0717D2}    = C:\PROGRA~1\ACEFTP~1\FTPCntxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
   PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
   AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
   PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
   Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx
   {47833539-D0C5-4125-9FA8-0819E2EAAC93}    = Adobe PDF   : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
   ButtonText    = Spyware Doctor   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B4E30F61-16D9-11D3-85D1-005004229569}
   ButtonText    = Web Entry   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   NvCplDaemon   RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
   nwiz   nwiz.exe /install
   NvMediaCenter   RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
   SoundMan   SOUNDMAN.EXE
   pccguide.exe   "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
   PCClient.exe   "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
   TM Outbreak Agent   "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
   DU Meter   C:\Program Files\DU Meter\DUMeter.exe
   SunJavaUpdateSched   C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
   iTunesHelper   "C:\Program Files\iTunes\iTunesHelper.exe"
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   winsupdater   C:\Program Files\winsupdater\winsupdater.exe /auto
   MSConfig   C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   CTFMON.EXE   C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk
   path   C:\Documents and Settings\Me\Start Menu\Programs\Startup\Lotus Organizer EasyClip.lnk
   backup   C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkStartup
   location   Startup
   command   C:\PROGRA~1\lotus\organize\EASYCL~1.EXE /LEN
   item   Lotus Organizer EasyClip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item
   hkey   HKLM
   command
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Acrobat Assistant 7.0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Acrotray
   hkey   HKLM
   command   "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Acrotray
   hkey   HKLM
   command   "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   HPWuSchd
   hkey   HKLM
   command   C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   HPWuSchd
   hkey   HKLM
   command   C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   hpztsb08
   hkey   HKLM
   command   C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   hpztsb08
   hkey   HKLM
   command   C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   iTunesHelper
   hkey   HKLM
   command   C:\Program Files\iTunes\iTunesHelper.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   iTunesHelper
   hkey   HKLM
   command   C:\Program Files\iTunes\iTunesHelper.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NBJ
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NBJ
   hkey   HKCU
   command   "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NBJ
   hkey   HKCU
   command   "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NeroCheck
   hkey   HKLM
   command   C:\WINDOWS\system32\NeroCheck.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NeroCheck
   hkey   HKLM
   command   C:\WINDOWS\system32\NeroCheck.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PDVDServ
   hkey   HKLM
   command   "C:\Program Files\PowerDVD\PDVDServ.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PDVDServ
   hkey   HKLM
   command   "C:\Program Files\PowerDVD\PDVDServ.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   realsched
   hkey   HKLM
   command   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   realsched
   hkey   HKLM
   command   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   2
   services   0
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/10/2005 11:39:05 PM

weird_c00kie · « **Reply #3 on:** October 09, 2005, 09:16:24 AM »

and here's the Hijackthis log

=============================================

Logfile of HijackThis v1.99.1
Scan saved at 12:13:28 AM, on 10/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\Program Files\lotus\organize\easyclip6.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\The Bat!\thebat.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\Documents and Settings\Me\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Me/My%20Documents/quick_links.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Lotus Organizer EasyClip.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\program files\lotus\organize\bandobjs.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124958835655
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

guestolo · « **Reply #4 on:** October 09, 2005, 09:23:14 AM »

The very first thing you must do is go download and install
Service pack 1a
from the following link
http://www.microsoft.com/windowsxp/downloa...p1/express.mspx

Don't install SP2 yet, we'll do that when your clean
Without these updates you can get other infections in a matter of minutes

When that's done
Go to START>>RUN
type in msconfig
Hit OK
Select Normal Startup
Apply it and close
Don't restart the computer yet

Come back here and post a fresh hijackthis log

Also, open Ad-Aware
Under intiialization status click DETAILS
Let me know reference number and Internal build

weird_c00kie · « **Reply #5 on:** October 09, 2005, 09:32:52 AM »

ummm..... i think i'm going to have to have a chat with the friend of mine whom i got to set the computer up for me after i bought it...

when i tried to install SP1 it came up with an error message saying the CD key is invalid and exited the installation.

i'll be kicking his ass ASAP, but in the meantime, is there any other way to get rid of these nasties?

guestolo · « **Reply #6 on:** October 09, 2005, 09:47:16 AM »

Well, your probably going to get reinfected
I would opt to get a legit version of Windows
But I'll post some methods you can try

Make sure your running the latest version of Ad-Aware
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Close it out and we'll run it later

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please Download and UNZIP to desktop
~Link removed~
Make sure you unzip this so you now have p2pnetwork.bfu extracted to desktop

==Download and UNZIP to desktop
BFU.zip
So you now have BFU.exe extracted to desktop

Please Print this out or save these instructions to a Notepad file and save it to your Desktop

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
Stay disconnected from the Internet

Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Go to START>>RUN
type in msconfig
Hit OK
Select Normal Startup
Apply it and close

Restart back to Normal mode

Run hijackthis again and post a fresh log, also include the saved Report from Ewido's

weird_c00kie · « **Reply #7 on:** October 09, 2005, 09:54:54 AM »

i printed the instructions out to make it easy for myself.
thanks for all the help so far. i hope these new steps will rid me of these nasties for now.

just for the record, i've arranged to have a legit copy installed by the end of the coming week. i'm really going to kick his ass

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

weird_c00kie · « **Reply #8 on:** October 09, 2005, 10:35:04 AM »

i didn't get the virus detection screen from pc-cillin this time!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

here's the hijackthis report:

===========================================

Logfile of HijackThis v1.99.1
Scan saved at 1:31:07 AM, on 10/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\lotus\organize\easyclip6.exe
C:\Documents and Settings\Me\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Me/My%20Documents/quick_links.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Lotus Organizer EasyClip.lnk = ?
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\program files\lotus\organize\bandobjs.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124958835655
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

weird_c00kie · « **Reply #9 on:** October 09, 2005, 10:37:16 AM »

and here's the ewido report... it found 183 infected objects!

=======================================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         1:20:41 AM, 10/10/2005
+ Report-Checksum:      37A956B2

+ Scan result:

   C:\Documents and Settings\Me\Complete\ A Red Bear (2002) [Ftp].zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\ Dragon Reloaded.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\ACDSee 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Ace Combat 5 Squadron Leader PAL MULTI5 PS2 DVD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Acronis SnapDeploy v1.0.0.1277.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Adobe Photoshop Elements 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Advanced JPEG Compressor 4.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\ALO Power Audio Converter v1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Arial Audio Converter v2.3.11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Atlantis v1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Atomic Email Hunter v2.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Be Cool DVD-R.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Bvrp Ringtone Media Studio V1.0.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Carlitos Way 2 - Rise to Power DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Chris Sawyers Locomotion iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Crazy Taxi Rip.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\CryptDecrypt v1.15 + Keygen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Disc4You CDRWIN v6.1.1.0 Multilingual.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Elektra Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Fides WALLS FEA v2005.272 Bilingual.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\FIFA 06 Clone DVD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\FIFA 2005 iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Final Fantasy VII iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Half-Life 2 Antlion Troopers Deuce.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Hellaraiser Deader 7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Hide n Seek Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Hide.And.Seek.DVDSCR.XviD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\I Robot Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\ImTOO MPEG Encoder v2.1.54.922b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Iso Commander 1.6.037 beta.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Ivm Telephone Answering Attendant V3.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Kingdom of Heaven Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\KMAX v8.0.6 Multi-OS.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Kylinsoft Icon Seizer v1.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Meet the Fockers.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Microsoft Office 2003 5 IN 1 SP2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Microsoft Office 2003 Proofing Tools ISO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\MTV Celebrity Death Match.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\NASCAR SimRacing iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\NBA Live 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Nero v7.0 Ultra Edition.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Network LookOut Administrator v1.6.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Norton AntiVirus 2006 Beta.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Open SUSE Linux 10.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Prince Of Persia 2 Warrior Within.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Pro Evolution soccer 4 RELOADED iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Rapidshare Leecher v 2.0 Final.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Red Eye.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\S.W.A.T DVD Rip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Sarm Soft Webalbum 3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Saw Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Scarface.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Secretary Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Shanghai Dreams.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\SheerVideo Pro X 2.3.8.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Shrek2 Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\SimCity 4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Sin City DVDRip Xvid 2 CD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Sophos Antivirus 3.98.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Spy Emergency 2005 v2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Team America World Police DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\The Girl Next Door DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\The Grinch 2000.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\The Island TC Xvid 2 CD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\The Jacket Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\The Ring 2 Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\The Skeleton Key DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Thief 3 Deadly Shadows.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Timecode Calculator 2.0.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Tomb Raider 5 - Chronicles - Full Game.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Ultra DVD Creator v1.3.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Ultraiso 7.6.2.1180 me.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Underworld DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Unleashed Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\VideoCharge Professional v3.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\West Coast Rally Chrysler.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\WinImage Professional 7.0h.70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\WinPatrol v9.7.4.0 PLUS.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\WinZip 10.0 Build 6604 Beta.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Complete\Your Uninstaller 2006 Pro v5.0.0.191.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Me\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
   C:\Documents and Settings\Me\Local Settings\Temp\Rar$EX01.921\Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\ A Red Bear (2002) [Ftp].zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\ Dragon Reloaded.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\ACDSee 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Ace Combat 5 Squadron Leader PAL MULTI5 PS2 DVD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Acronis SnapDeploy v1.0.0.1277.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Adobe Photoshop Elements 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Advanced JPEG Compressor 4.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\ALO Power Audio Converter v1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Arial Audio Converter v2.3.11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Atlantis v1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Atomic Email Hunter v2.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Be Cool DVD-R.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Bvrp Ringtone Media Studio V1.0.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Carlitos Way 2 - Rise to Power DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Chris Sawyers Locomotion iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Crazy Taxi Rip.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\CryptDecrypt v1.15 + Keygen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Disc4You CDRWIN v6.1.1.0 Multilingual.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Elektra Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\F.E.A.R. - Full Version.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Fides WALLS FEA v2005.272 Bilingual.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\FIFA 06 Clone DVD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\FIFA 2005 iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Final Fantasy VII iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Half-Life 2 Antlion Troopers Deuce.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Hellaraiser Deader 7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Hide n Seek Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Hide.And.Seek.DVDSCR.XviD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\I Robot Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\ImTOO MPEG Encoder v2.1.54.922b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Iso Commander 1.6.037 beta.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Ivm Telephone Answering Attendant V3.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Kingdom of Heaven Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\KMAX v8.0.6 Multi-OS.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Kylinsoft Icon Seizer v1.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Meet the Fockers.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Microsoft Office 2003 5 IN 1 SP2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Microsoft Office 2003 Proofing Tools ISO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\MTV Celebrity Death Match.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\NASCAR SimRacing iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\NBA Live 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Nero v7.0 Ultra Edition.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Network LookOut Administrator v1.6.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Norton AntiVirus 2006 Beta.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Open SUSE Linux 10.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Prince Of Persia 2 Warrior Within.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Pro Evolution soccer 4 RELOADED iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Rapidshare Leecher v 2.0 Final.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Red Eye.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\S.W.A.T DVD Rip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Sarm Soft Webalbum 3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Saw Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Scarface.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Secretary Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Shanghai Dreams.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\SheerVideo Pro X 2.3.8.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Shrek2 Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\SimCity 4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Sin City DVDRip Xvid 2 CD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Sophos Antivirus 3.98.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Spy Emergency 2005 v2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Team America World Police DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\The Girl Next Door DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\The Grinch 2000.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\The Island TC Xvid 2 CD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\The Jacket Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\The Ring 2 Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\The Skeleton Key DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Thief 3 Deadly Shadows.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Timecode Calculator 2.0.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Tomb Raider 5 - Chronicles - Full Game.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Ultra DVD Creator v1.3.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Ultraiso 7.6.2.1180 me.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Underworld DVDRip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Unleashed Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\VideoCharge Professional v3.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\West Coast Rally Chrysler.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\WinImage Professional 7.0h.70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\WinPatrol v9.7.4.0 PLUS.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\WinZip 10.0 Build 6604 Beta.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\eMule\Incoming\Your Uninstaller 2006 Pro v5.0.0.191.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\Opera\profile\cache4\opr02IJ1.js -> TrojanDownloader.IstBar.ad : Cleaned with backup

::Report End

weird_c00kie · « **Reply #10 on:** October 09, 2005, 10:38:32 AM »

oh yeah, with hijackthis, am i supposed to tell it to fix all the stuff it finds, or are you just after the report?

*edit*

ctrl + alt + del works as well!!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #11 on:** October 09, 2005, 12:09:22 PM »

Quote

oh yeah, with hijackthis, am i supposed to tell it to fix all the stuff it finds, or are you just after the report?

No, don't fix anything with hijackthis, all the bad guys are gone

Until you can get a legit version of Windows
We have to help keep you secure

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Navigate to the following folders
C:\Documents and Settings\Me\Complete <-folder
Open the complete folder
Any files you don't recognize remove them, you should be able to delete the whole
"Complete" folder

Navigate to the following folder
C:\Program Files\eMule\Incoming
Open the Incoming folder
Any files you didn't purposely download
Remove them

You acquired this worm from the use of your filesharing programs
Watch what you download, make sure you scan everything with an updated virus scanner

Can you go to this link
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\tentacle.scr

Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for this file
C:\WINDOWS\SYSTEM32\Vector Trance.scr

Go back and rehide hidden files and folder
I would leave
Hide Extensions for known file types unchecked

You should download and run this utility
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit
Alternate download location if having trouble with the first link

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
Restart your computer
Bootup may be a bit slower, as CleanUp! will also clean the prefetch folder
The speed will increase on next bootup

==Now would be a good time to defrag your harddrive

If everything is running better, please do the following
You should disable system restore and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2

At minimum, you should be able to install
Internet explorer SP1
http://www.microsoft.com/windows/ie/downlo...p1/default.mspx
Until you have a legit version of Windows
At which time I would choose to Clean install and update to SP2 immediately afterwards
Also, include SpywareBlaster and IE-Spyad in your protections after you have a legit version

weird_c00kie · « **Reply #12 on:** October 09, 2005, 12:31:02 PM »

thank you soooooooooo much for all this.

activex controls are not something i am terribly worried about. i only use IE to access websites which are, beyond the shadow of a doubt, clean. Opera is the browser i use for everything else, and as far as i've seen so far, it doesn't even support them.

when you say Clean install, you mean format the disk first, don't you? not possible to just override the current installation with the legit one? formatting is such a time-consuming process when you like making all these aesthetic changes to everything because you have to re-do it all every time

guestolo · « **Reply #13 on:** October 09, 2005, 12:48:39 PM »

Sorry, you may not of seen my edit

Can you do this please
Can you go to this link
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\tentacle.scr

Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for this file
C:\WINDOWS\SYSTEM32\Vector Trance.scr

I would choose to clean install
You have no Windows udpates installed
A clean install we'll ensure you won't have no conflicts at all
Backup any important files or folders
It doesn't really take that long at all
You can tweak your fresh copy later

weird_c00kie · « **Reply #14 on:** October 09, 2005, 08:05:27 PM »

that'll be my #1 priority once i finish the assignment i would have been doing last night if i hadn't ended up fighting viruses.

once again, thank you SO much for all the super-fast help and all

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #15 on:** October 22, 2005, 04:43:49 PM »

As the problems appear resolved, I'll lock this topic
If you need it reopened please PM myself or the site admin, supply a link to this thread

Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: 3 different pieces of malware :( (Read 2114 times)

weird_c00kie

3 different pieces of malware :(

guestolo

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

guestolo

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

guestolo

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

guestolo

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

guestolo

3 different pieces of malware :(

weird_c00kie

3 different pieces of malware :(

guestolo

3 different pieces of malware :(