Author Topic: Getting rid of junk I can't find (Read 2806 times)

friedemann · « **on:** October 23, 2005, 10:08:55 AM »

My anti- virus noted this bug in 2500 zip files in a folder I can't find. I never knowingly downloaded these porn zips and almost all memory is used up because of them. The bug is TR/Drop.WinAD.H
I am running Win XP, have Spybot, Ad-aware and AntiVir. Appreciate some help as I don't have enough free memory to do a system restore(I am under the impression I could go back in time before problems existed-maybe not???)

guestolo · « **Reply #1 on:** October 23, 2005, 11:13:52 AM »

Can you please post a Hijackthis log

Here's the instructions

friedemann · « **Reply #2 on:** October 23, 2005, 08:37:42 PM »

Logfile of HijackThis v1.99.1
Scan saved at 6:22:33 PM, on 10/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\bern schau\Desktop\AA-REPAIR\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125637809135
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125795761545
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

guestolo · « **Reply #3 on:** October 23, 2005, 09:06:51 PM »

Let's see what we can find
Your log looks okay

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

Please Restart your computer into
SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Restart back to Normal mode
Post the results of the WindPFind.txt located in the WinPFind folder

friedemann · « **Reply #4 on:** October 24, 2005, 02:04:04 PM »

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/23/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/23/2001 12:00:00 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PECompact2 9/8/2005 8:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 8:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
10/24/2005 7:17:24 AM S 2048 C:\WINDOWS\bootstat.dat
10/21/2005 11:23:12 PM H 54156 C:\WINDOWS\QTFont.qfn
9/1/2005 6:36:20 PM RH 188448 C:\WINDOWS\HWINFO.DAT
9/1/2005 6:35:34 PM H 13122 C:\WINDOWS\folder.htt
9/1/2005 7:48:54 PM H 2969 C:\WINDOWS\ttfCache
9/1/2005 6:34:14 PM H 9793 C:\WINDOWS\HELP\windows.GID
9/1/2005 9:59:52 PM H 10820 C:\WINDOWS\HELP\nocontnt.GID
9/1/2005 6:35:34 PM H 13122 C:\WINDOWS\SYSTEM32\folder.htt
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
9/1/2005 8:39:58 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest
9/1/2005 8:39:58 PM RH 488 C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
9/1/2005 8:39:36 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
10/24/2005 7:16:16 AM H 720896 C:\WINDOWS\SYSTEM32\config\system.LOG
10/24/2005 7:16:16 AM H 81920 C:\WINDOWS\SYSTEM32\config\software.LOG
10/24/2005 7:16:16 AM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG
9/1/2005 8:22:12 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG
9/1/2005 8:22:10 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG
10/24/2005 7:17:40 AM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
10/24/2005 7:17:26 AM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
9/15/2005 7:04:56 AM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
9/1/2005 8:24:12 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini
9/1/2005 8:41:18 PM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini
9/1/2005 8:41:18 PM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KRQBHRU7\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OVSVOPP3\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AMNIP661\desktop.ini
9/1/2005 8:41:18 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GJ03D8S4\desktop.ini
9/1/2005 8:24:12 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini
9/1/2005 8:44:02 PM HS 206 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini
9/1/2005 8:44:02 PM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
9/1/2005 8:44:02 PM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
9/1/2005 8:44:02 PM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
9/1/2005 8:44:02 PM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
9/1/2005 8:40:04 PM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini
9/1/2005 8:24:12 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini
9/1/2005 8:59:18 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\9720d58c-e8c8-4caa-9b6a-ed0cfe502fb7
9/1/2005 8:59:18 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
9/1/2005 10:16:42 PM RHS 13695 C:\WINDOWS\SYSTEM32\Restore\filelist.xml
9/1/2005 8:42:28 PM HS 67 C:\WINDOWS\FONTS\desktop.ini
9/1/2005 6:35:32 PM H 19600 C:\WINDOWS\WEB\WVLOGO.GIF
9/1/2005 6:35:32 PM H 4204 C:\WINDOWS\WEB\CONTROLP.HTT
9/1/2005 6:35:32 PM H 11530 C:\WINDOWS\WEB\FOLDER.HTT
9/1/2005 6:35:32 PM H 4988 C:\WINDOWS\WEB\MYCOMP.HTT
9/1/2005 6:35:32 PM H 5044 C:\WINDOWS\WEB\PRINTERS.HTT
9/1/2005 6:35:34 PM H 855 C:\WINDOWS\WEB\webview.css
9/1/2005 6:35:34 PM H 14258 C:\WINDOWS\WEB\default.htt
9/1/2005 6:35:34 PM H 5403 C:\WINDOWS\WEB\nethood.htt
9/1/2005 6:35:34 PM H 8088 C:\WINDOWS\WEB\recycle.htt
9/1/2005 6:35:34 PM H 5495 C:\WINDOWS\WEB\schedule.htt
9/1/2005 6:35:34 PM H 5521 C:\WINDOWS\WEB\dialup.htt
9/1/2005 6:35:34 PM H 44686 C:\WINDOWS\WEB\wvleft.bmp
9/1/2005 6:35:34 PM H 840 C:\WINDOWS\WEB\wvline.gif
9/1/2005 6:35:36 PM H 10931 C:\WINDOWS\WEB\ftp.htt
9/28/2005 4:58:14 PM HS 77312 C:\WINDOWS\WEB\Wallpaper\Thumbs.db
10/24/2005 7:16:08 AM H 6 C:\WINDOWS\TASKS\SA.DAT
9/1/2005 8:41:06 PM RHS 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
9/1/2005 8:41:06 PM RHS 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
9/1/2005 8:41:06 PM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
9/9/2005 6:31:42 AM H 30 C:\WINDOWS\TEMP\CS3E3ECF10-D174-405A-9D0E-E03B963DD4F3.tmp
9/9/2005 6:31:42 AM H 0 C:\WINDOWS\TEMP\CS2A84024B-A968-4B80-80FD-0D0597DE0C0D.tmp
9/9/2005 6:31:42 AM H 0 C:\WINDOWS\TEMP\CSCF1EF2A2-102C-4C07-9D54-BD30F308CF87.tmp
9/9/2005 6:31:42 AM H 2234862 C:\WINDOWS\TEMP\CSE1CEF7F2-60F3-4FC1-98BB-7F2523C30C72.tmp
9/9/2005 6:31:42 AM H 1413142 C:\WINDOWS\TEMP\CS8C93ABB7-7999-4917-85B1-6E8D5F69FAC7.tmp
9/9/2005 6:31:42 AM H 1726954 C:\WINDOWS\TEMP\CSCC79B85D-7525-4617-987D-1AA9F3EC9300.tmp
9/9/2005 6:31:42 AM H 80790 C:\WINDOWS\TEMP\CS540A512A-9618-44D4-85B5-C73B1002309B.tmp
9/9/2005 6:31:42 AM H 360444 C:\WINDOWS\TEMP\CS95F192B2-5A0C-4820-A504-C74C8FE986B6.tmp
9/9/2005 6:31:42 AM H 23436 C:\WINDOWS\TEMP\CS7026B2A2-1416-4CC2-A6E9-EA73943AD364.tmp
9/9/2005 6:31:42 AM H 72836 C:\WINDOWS\TEMP\CS42274365-33FA-4E95-8E32-1D82736EA8F2.tmp
9/9/2005 6:31:42 AM H 1292850 C:\WINDOWS\TEMP\CS026FA6B3-4954-49CC-B6D0-858B3D202040.tmp
9/9/2005 6:31:42 AM H 748 C:\WINDOWS\TEMP\CSE297CAA0-FC97-41EB-961C-EC0BE10EB51C.tmp
9/9/2005 6:31:42 AM H 240 C:\WINDOWS\TEMP\CS16EEE3AC-A587-424E-A373-3616E9831B21.tmp
9/9/2005 6:31:42 AM H 0 C:\WINDOWS\TEMP\CSDD8F6E5E-5900-448E-8B9D-45CFC19836ED.tmp
9/9/2005 6:31:42 AM H 3402 C:\WINDOWS\TEMP\CSCE13CC0D-50FC-4324-9480-F78FFECCFFF7.tmp
9/9/2005 6:31:42 AM H 160 C:\WINDOWS\TEMP\CSC79193A7-9F49-46F1-889A-582BE2338694.tmp
9/9/2005 6:31:42 AM H 5464 C:\WINDOWS\TEMP\CSFB438AE6-34C7-4238-8B4D-87FF57426B3C.tmp
9/9/2005 6:31:42 AM H 69460 C:\WINDOWS\TEMP\CSCE4BAD25-7E83-4615-818A-630A726200C8.tmp
9/9/2005 6:31:42 AM H 333 C:\WINDOWS\TEMP\CS490965C9-795C-4B19-A600-F2C98A1F4C01.tmp
9/9/2005 6:31:42 AM H 1602 C:\WINDOWS\TEMP\CSE0DF9E1A-6445-4C61-97A3-09D8ADECBA5B.tmp
9/9/2005 6:31:42 AM H 128 C:\WINDOWS\TEMP\CS47EFB099-AA82-4017-82FF-0603D48AF8AC.tmp
9/9/2005 6:31:42 AM H 32 C:\WINDOWS\TEMP\CS2BAE2104-DF2B-4F2D-B906-021E21BB0F53.tmp
9/9/2005 6:31:42 AM H 2016 C:\WINDOWS\TEMP\CS62008CE9-4DE1-4B4F-82F7-C98F1231C5E3.tmp
9/9/2005 6:31:42 AM H 1466936 C:\WINDOWS\TEMP\CS0CE55D78-D9DE-44D7-8853-4BB125A76496.tmp
9/9/2005 6:31:42 AM H 902322 C:\WINDOWS\TEMP\CSC53B3870-6E75-4B27-A4B4-33AA145B5035.tmp
9/9/2005 6:31:42 AM H 1077458 C:\WINDOWS\TEMP\CS487ED19D-32A7-4016-BA06-8A7BD6D11757.tmp
9/9/2005 6:31:42 AM H 556628 C:\WINDOWS\TEMP\CS90375F74-938C-4C15-8C39-8D2ADC688058.tmp
9/9/2005 6:31:42 AM H 40712 C:\WINDOWS\TEMP\CSD592C3CA-2DDA-4196-85D4-286BDEDA6B98.tmp
9/9/2005 6:31:42 AM H 104878 C:\WINDOWS\TEMP\CSFD0C5196-65C9-4333-A9FE-E9232F8E5B17.tmp
9/9/2005 6:31:42 AM H 38312 C:\WINDOWS\TEMP\CS8ED5DB2E-F018-40FD-B606-D06BD57FD8F4.tmp
9/9/2005 6:31:42 AM H 6460 C:\WINDOWS\TEMP\CS9EF6B288-B141-419A-913E-335E362D5635.tmp
9/9/2005 6:31:42 AM H 204 C:\WINDOWS\TEMP\CSDE790104-9006-42ED-A0A4-78B9E3FB9FBB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSD87BFE67-4E20-427B-ACA4-9F84AED06D69.tmp
9/9/2005 6:32:08 AM H 508 C:\WINDOWS\TEMP\CSC8733840-1BD8-4F93-AF29-887002EA7AC9.tmp
9/9/2005 6:32:08 AM H 14 C:\WINDOWS\TEMP\CS0F212E94-9FDE-4E9C-B1C6-F972FD45FAE5.tmp
9/9/2005 6:32:08 AM H 30 C:\WINDOWS\TEMP\CS5D9DB00F-AC9C-4265-B485-0750685D9B8F.tmp
9/9/2005 6:32:08 AM H 48 C:\WINDOWS\TEMP\CSFA5D3313-4B64-4963-B8A5-2429FBAAD879.tmp
9/9/2005 6:32:08 AM H 412 C:\WINDOWS\TEMP\CS648B1A6B-5528-4BBF-8CB3-2C49D1DF0D67.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS553E2234-5982-49B6-9A92-A5F2899E79E9.tmp
9/9/2005 6:32:08 AM H 508 C:\WINDOWS\TEMP\CS4B3297D5-568C-44F9-91D7-7DA13EC9BF82.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS049AD159-FE76-4BBF-92F3-4BF380115948.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS73AD5D18-56A9-436E-9A02-32ABB5982FDD.tmp
9/9/2005 6:32:08 AM H 346 C:\WINDOWS\TEMP\CS4E5EFD2D-8D23-48C9-899F-1C360B6F6EE2.tmp
9/9/2005 6:32:08 AM H 428 C:\WINDOWS\TEMP\CS2981E7DC-EE2B-4F03-84DA-E6A517AF2460.tmp
9/9/2005 6:32:08 AM H 572 C:\WINDOWS\TEMP\CSEBE856BD-178A-46C1-AA2B-146E6731FCB2.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS9A24D262-6EF0-4833-9972-F499A1D2B3B0.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSF8CBA213-87B1-4767-A371-C276E62F1E90.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS81DA16EE-4249-4584-8BB3-2B47D7B9E315.tmp
9/9/2005 6:32:08 AM H 436 C:\WINDOWS\TEMP\CS8A17643D-4AC4-4F14-8990-F6D910247A4A.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSA3C429F9-6FCF-4A80-A233-63E31FBF2ECD.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS84BB7DF4-2416-4F96-AE36-A602187B45AE.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS98E39860-0AFE-4411-B116-6BFB91897E31.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSC3725423-2CD1-46A6-9858-567865EF9EC2.tmp
9/9/2005 6:32:08 AM H 412 C:\WINDOWS\TEMP\CS9D8A87D0-4C63-443D-A994-E3E10A79E5DE.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS85044270-C336-49DA-810E-213A7D777B4E.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS62DD81BE-74E7-4865-9FD4-D8A5955AE66F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS4B15A1BB-6983-4F3D-9B94-1E0FFDC0A326.tmp
9/9/2005 6:32:08 AM H 42 C:\WINDOWS\TEMP\CS25214661-EDF9-416B-9D75-BD912A9BDB8F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSDFDDC863-7925-4639-A5EE-FB225BD1E658.tmp
9/9/2005 6:32:08 AM H 102 C:\WINDOWS\TEMP\CS6A0DE925-000C-4506-8F19-DDF65971696A.tmp
9/9/2005 6:32:08 AM H 120 C:\WINDOWS\TEMP\CS85A0201B-A5C0-49DA-9785-7D98F0D40C7B.tmp
9/9/2005 6:32:08 AM H 136 C:\WINDOWS\TEMP\CS5DB90B5F-35A7-43B2-BFFE-A34A05359C30.tmp
9/9/2005 6:32:08 AM H 96 C:\WINDOWS\TEMP\CS36399186-59BB-4292-8A69-EF166DB45FBC.tmp
9/9/2005 6:32:08 AM H 484 C:\WINDOWS\TEMP\CSF3DB41E0-848B-4745-926F-DBBEEDAF0BDB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS418F131B-4290-46A5-958C-B144FB538397.tmp
9/9/2005 6:32:08 AM H 604 C:\WINDOWS\TEMP\CS191F46C6-E5F3-4AAC-B2C1-69A4F04FE708.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSE7805D78-C5B4-4C4A-A37A-71F1AE9CFE72.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS2CFC510B-0E27-46DD-81F2-F97A90327BB2.tmp
9/9/2005 6:32:08 AM H 100 C:\WINDOWS\TEMP\CS45A24491-3610-42A0-8285-5CC42C438712.tmp
9/9/2005 6:32:08 AM H 664 C:\WINDOWS\TEMP\CS7BADC4FC-55F8-4DE0-83EF-E18BB58A555E.tmp
9/9/2005 6:32:08 AM H 408 C:\WINDOWS\TEMP\CS8D265D88-DC08-4CEA-810C-5E9FFE0C7113.tmp
9/9/2005 6:32:08 AM H 528 C:\WINDOWS\TEMP\CSF1201B4C-1338-4D9E-855F-FAA599321DEB.tmp
9/9/2005 6:32:08 AM H 114 C:\WINDOWS\TEMP\CS2ED77DCC-DE3A-4CBA-AE86-58785CC34749.tmp
9/9/2005 6:32:08 AM H 30 C:\WINDOWS\TEMP\CSD226E34A-3A1B-4A0D-B8D3-CB73E72100DA.tmp
9/9/2005 6:32:08 AM H 48 C:\WINDOWS\TEMP\CS8C88EF88-5ABD-4351-9D2D-ACA41E606940.tmp
9/9/2005 6:32:08 AM H 42 C:\WINDOWS\TEMP\CS900C1BC0-A931-455C-A27B-2FE5E81D1E87.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS76F16372-8C0C-4255-86AA-DC3A4DE2F49F.tmp
9/9/2005 6:32:08 AM H 418 C:\WINDOWS\TEMP\CS600DE2A1-7600-4EFD-B332-E6CB82EF2CED.tmp
9/9/2005 6:32:08 AM H 48 C:\WINDOWS\TEMP\CS9484667D-BA23-46EA-88F1-AFDBFC4C21FF.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS72CBE9D4-E95C-49F4-895D-A1EE41A7B298.tmp
9/9/2005 6:32:08 AM H 68 C:\WINDOWS\TEMP\CSE6E8DF90-FBEA-4748-AF98-09AC36AE17DC.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS305525F2-235A-4684-9F7C-28AB57F13060.tmp
9/9/2005 6:32:08 AM H 100 C:\WINDOWS\TEMP\CSC12121D0-A905-4BFD-A074-E9BB5B6AEA11.tmp
9/9/2005 6:32:08 AM H 100 C:\WINDOWS\TEMP\CS6A008EDA-519B-481C-B6CB-9EF31265BDA6.tmp
9/9/2005 6:32:08 AM H 162 C:\WINDOWS\TEMP\CS2C2BE89A-E8D8-4C38-936B-E381F48EFC8A.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS081AD54D-B261-4157-B8BC-52F64BA7AFBB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSC5E3A9F5-D194-4C20-AB19-27ABAD7B4F12.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS3162CD30-F6E4-409E-BCFB-CAA4A2BF9212.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSF907D817-0049-4CA7-8F87-F3679F4575ED.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSD4616B9E-B094-469C-A91D-3643DF00129C.tmp
9/9/2005 6:32:08 AM H 118 C:\WINDOWS\TEMP\CS8AA6603C-4D4D-4FDD-B7C7-ED4E83A88B23.tmp
9/9/2005 6:32:08 AM H 124 C:\WINDOWS\TEMP\CSFF13544B-2469-4AFE-A5DC-20DBDF35AC3F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS5D233308-5655-4E3B-8C9C-4628F3BC3C82.tmp
9/9/2005 6:32:08 AM H 50 C:\WINDOWS\TEMP\CS6DADABD8-38D7-4CEE-AAA6-781823772C8C.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS167A08AB-191D-477B-8848-9706A61C1DCB.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS096CE9CA-CDE5-4742-A165-11D551939FD6.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS82F698FF-98FD-4B5B-8E5E-F69B6404A298.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS8629C8D8-34EE-4904-AD26-8D34C3F8E84F.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CS23F5D514-21CB-4293-8313-F76DECAA5EFE.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSE8A8C956-4A92-4EFB-AB26-EDE53DFF7178.tmp
9/9/2005 6:32:08 AM H 10 C:\WINDOWS\TEMP\CSBAB94B72-1F33-45C3-A9C7-99FFF6C8C641.tmp
9/1/2005 8:39:58 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
9/1/2005 8:39:58 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
9/1/2005 8:45:38 PM H 286720 C:\WINDOWS\repair\ntuser.dat
9/1/2005 10:16:28 PM H 0 C:\WINDOWS\inf\oem0.inf

Checking for CPL files...
Microsoft Corporation 8/23/2001 12:00:00 PM 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Apple Computer, Inc. 8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 AM 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/10/2005 3:00:50 PM 1661 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/1/2005 8:44:02 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/1/2005 8:24:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/1/2005 8:44:02 PM HS 84 C:\Documents and Settings\bern schau\Start Menu\Programs\Startup\desktop.ini
9/6/2005 11:26:18 PM 829 C:\Documents and Settings\bern schau\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/4/2005 9:25:04 AM 1697 C:\Documents and Settings\bern schau\Application Data\AdobeDLM.log
9/1/2005 8:24:12 PM HS 62 C:\Documents and Settings\bern schau\Application Data\desktop.ini
9/4/2005 9:25:04 AM 0 C:\Documents and Settings\bern schau\Application Data\dm.ini
9/6/2005 11:26:18 PM 83 C:\Documents and Settings\bern schau\Application Data\sversion.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   DigExt    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
   {a7cda720-84ee-11d0-b5c0-00001b3ca278}    = C:\Program Files\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
   {a7cda720-84ee-11d0-b5c0-00001b3ca278}    = C:\Program Files\AVPersonal\AVShlExt.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   SystemTray   SysTray.Exe
   AVSCHED32   C:\Program Files\AVPersonal\AVSched32.EXE /min
   AVGCtrl   C:\Program Files\AVPersonal\AVGNT.EXE /min
   TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
   Key   †€6òØÁbÚðwSõ~–ÁÉ
   Hint   relativity
   FileName0   C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
   Allow_Unknowns   1
   PleaseMom   0
   Enabled   1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
   v   4
   s   4
   n   4
   l   4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
   NumSys   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/24/2005 7:29:01 AM

guestolo · « **Reply #5 on:** October 24, 2005, 10:03:38 PM »

I don't see what I'm looking for, but let's try some cleanup anyways

Ensure you are running the latest version of Ad-Aware
If you don't have the latest, uninstall your version and/or
Download and Install Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
After checking for updates, close down, we'll need it later

==Download and UNZIP to desktop
BFU.zip
So you now have BFU.exe extracted to desktop

Please Download and UNZIP to desktop
P2pnetwork.zip
Make sure you unzip this so you now have p2pnetwork.bfu extracted to desktop

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit

Open Ewido
click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please print this out or save to notepad for reference
Reboot back to SAFE MODE

Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open Ad-Aware>>Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Reboot back to Normal mode

Afterwards
Come back here and supply a fresh hijackthis log
and the Report from Ewidos

friedemann · « **Reply #6 on:** October 25, 2005, 10:21:28 PM »

Logfile of HijackThis v1.99.1
Scan saved at 7:51:21 PM, on 10/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\bern schau\Desktop\AA-REPAIR\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program

Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE

/min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program

Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Download Express: download this file

- C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://update.microsoft.com/windowsupdate/...s/en/x86/client

/wuweb_site.cab?1125637809135
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

Class) -

http://update.microsoft.com/microsoftupdat...ols/en/x86/clie

nt/muweb_site.cab?1125795761545
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik

GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH,

Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

****NOTE: Ewido did not give me a report to save. However I checked

it over ,,, it said that 6460 infected files were removed (all

Trojans)

Ad-aware came thru clean

Windows CleanUp 4.0 gained 1.91 GB of space

I still have the BFU and P2P programs.

P2P??
(Speaking of which....I did have "LimeWire" for a period of time.

Because I am on dialup modem I unchecked the sharing of files,

however I did download music files for a time. Finally got tired of

it all and nuked the program....which did not uninstall that easily

or cleanly.. I did not keep any of the files either.

Things are better now, however clicking with the mouse is somewhat

sluggish (like connecting back onto the net thru dial up procedures)and it seems the computer is working more (there is alot of

clicking going on inside the pc just to simple tasks - it seems as

though something else is running in surges inside as the hard drive

light comes on in groups and then goes out for a couple of minutes.
Just my observation at this moment.

Is a defrag necessary?

guestolo · « **Reply #7 on:** October 25, 2005, 10:23:33 PM »

Can you reboot the computer one more time

Back in Windows
Run hijackthis again and post a fresh log, one from normal mode

friedemann · « **Reply #8 on:** October 26, 2005, 08:25:07 AM »

Logfile of HijackThis v1.99.1
Scan saved at 6:21:51 AM, on 10/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVSched32.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\bern schau\Desktop\AA-REPAIR\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125637809135
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1125795761545
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

guestolo · « **Reply #9 on:** October 26, 2005, 11:25:31 AM »

I suspect things are getting quicker on startup?
CleanUp!, also cleans the Prefetch folder, so startup will be a bit slower at first, but will increase in speed after a couple bootups

You can look for the Complete folder and delete it if found

It will have hidden attributes
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Look for the Complete folder in this location
C:\Documents and Settings\bern schau\Complete
or under another user name

Go back and hide hidden files and folders later

Your way behind on Windows updates, it's important to keep up on updates to keep secure
If on dialup you can order the Service pack 2 CD from here
http://www.microsoft.com/windowsxp/downloa...us/default.mspx

You need to get these updates on your computer

At minimum for now, install Service pack 1a
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

You may have to disable your download manager before installing

Guest · « **Reply #10 on:** October 27, 2005, 08:31:00 AM »

I can't figure out how to download sp1a from MS website as there is no download button for that. When I press downloads, I get taken to SP2. I have tried to download that 5x's and keep getting booted out. I fugured at that time it was a memory capacity issue or something so OH well! Lets see how long I live I guess....I can always wipe the pc clean and go back to 98

guestolo · « **Reply #11 on:** October 27, 2005, 08:50:37 AM »

You should do the following
For some final cleanup
If everything is running better, please do the following
You should disable system restore and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

Use this link and get the express installation of Sp1a
Choose language and hit the GO button
Of course, you Windows version must be legit
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx

Order the Sp2 CD

TheTechGuide Forum

News:

Author Topic: Getting rid of junk I can't find (Read 2806 times)

friedemann

Getting rid of junk I can't find

guestolo

Getting rid of junk I can't find

friedemann

Getting rid of junk I can't find

guestolo

Getting rid of junk I can't find

friedemann

Getting rid of junk I can't find

guestolo

Getting rid of junk I can't find

friedemann

Getting rid of junk I can't find

guestolo

Getting rid of junk I can't find

friedemann

Getting rid of junk I can't find

guestolo

Getting rid of junk I can't find

Guest

Getting rid of junk I can't find

guestolo

Getting rid of junk I can't find