Author Topic: Hijacked, plus missing Registry files? (Read 1921 times)

geekwanabe · « **on:** January 17, 2006, 10:41:22 AM »

I'm new here, so I hope you all will bear with me. I'm sending this from my notebook pc, as my old desktop has crashed. LSS: I got infected by the Zlob.F Trojan and although I've made some "repairs" and can see that the data is still on my hard drives, I can only access the system through the Task Manager. I've lost the desktop icons, taskbar icons, and the start button. I believe I may have a missing Registry file or two. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:26 AM, on 1/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\clark\Desktop\Misc. Programs\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130331619744
O16 - DPF: {96AD66E6-8375-4864-8F4D-0F15023C2AF6} (CWUInstall Object) - http://www.wunderground.com/windowsinstall/weather.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Questolo---are you available?

guestolo · « **Reply #1 on:** January 17, 2006, 11:25:07 AM »

We'll need to transport some files from the computer you are now using, to your infected computer.

Download [color=\"#3333FF\"]smitRem.exe[/color] and save the file to the desktop on the clean computer you are now using.
Double click on the file and extract it to it's own folder on the desktop.
So you'll get a new folder called smitrem on your desktop.
I want you to put that folder on cd, floppy or usb-stick.

On your infected computer, boot in safe mode by doing the following:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

In Safe Mode, open your task manager by pressing Control-Alt-Delete simultaneously.,
Now insert the cd, floppy or usb-stick where you saved the smitrem folder from your clean computer.

In your Task Manager, click 'applications' (first tab).
Click the New Task button.
Cick browse.

Now browse to the drive where your floppy, usb-stick or cd is present
Search for that smitrem folder.
This is important, it can't be run from the floppy, cd or usb-stick
Right click on the smitrem folder and choose: Copy

Now browse again via Task Manager to My Documents or Program Files.
Right click somewhere in there and choose: Paste
Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat
Then click open.
In the window where it says 'Create new task', click OK.

Normally, you'll have to drag the different windows you'll see to left or to right, because normally they will open on top of each other and you wont see the command window the tool starts that is under it.
You'll see a blue window now.
Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish
When done, in Task Manager, click 'shut down' from the menu on top and click restart. Your computer will reboot now.
Reboot to normal mode and post a hijackthis log in your next reply
along with the log made from SmitRem>>C:\Smitfiles.txt

NOTE: Don't run a scan with your Anti-virus software on your computer until I get a chance to see Smitfiles.txt and a new hijackthis log

geekwanabe · « **Reply #2 on:** January 18, 2006, 01:51:53 AM »

Hi Questolo,

I followed your instructions, exactly. I formatted a floppy, downloaded smitRem.exe, saved the contents to the folder (named smitRem) to the floppy, tested to see if the files were embedded in the folder (they were). I got into the task manager on the infected machine, found the smitRem folder in My Computer, A:\, "Right" clicked on the folder and just as you said, selected the 'Copy' option. Next, I closed the window (it would not minimize, as you know) and clicked on the browse button.

Here's the problem: Each time I attempt to 'Paste' to either the My Documents or Program Files areas, the 'Paste' option is "greyed-out" (non-selectable). I created a second 3-1/2" flop, formatted it, and x-ferred the smitRem data to it, but it did the same thing...I could select 'Copy', but was unable to select 'Paste' from the right-click method.

Hmmm...ideas? Comments?

Thanks,

Clark

guestolo · « **Reply #3 on:** January 18, 2006, 02:10:01 AM »

Try it this way,

Right click on the smitrem folder on the floppy and choose: Copy
Don't close the Browse window
Use the drop down menu in >>>Look in:
Select MyDocuments folder to open the folder
then right click and choose: Paste

Now open the smitrem folder you just copied and pasted and click the file: RunThis.bat

OR
without closing the Browse window
Select copy from the floppy
change to MyDocuments>>Right click
Select NEW>>Folder
Name it whatever you want
Then right click on the new folder and select OPEN
Then in the new window select EDIT>>PASTE

geekwanabe · « **Reply #4 on:** January 18, 2006, 06:59:58 PM »

OK, questolo, I was able to open the smitrem folder and I ran the file: RunThis.bat I'm not sure the file was able to run in its entirity---the disk cleaner never seemed to finish. I ran and reran the program a few times. When I rebooted into normal mode, at one point, a black screen with white letters came up with the following:

NTLDR is missing
press any key to restart

Pressing any key just kept scrolling the above message. The message did go away, however.

Again, I rebooted in the normal mode, and this time a blank, blue screen with no icons, start button, etc. appeared. This is not the same shade of blue as a typical BSOD and there was no message.

Here are the latest HJT & smitfiles scans:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:55 PM, on 1/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\clark\Desktop\Misc. Programs\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130331619744
O16 - DPF: {96AD66E6-8375-4864-8F4D-0F15023C2AF6} (CWUInstall Object) - http://www.wunderground.com/windowsinstall/weather.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activ...nfosFinder2.CAB
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/insta...cdetection3.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 01/18/2006
The current time is: 9:21:22.22

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of explorer.exe

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I really appreciate your help!

Clark

guestolo · « **Reply #5 on:** January 18, 2006, 11:05:32 PM »

I'm not sure if you got into windows or not with the infected computer
But please do the following

==Download and save WinPFind.zip
UNZIP the contents to your desktop>>Or transfer to the infected computer
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

geekwanabe · « **Reply #6 on:** January 19, 2006, 04:55:26 AM »

I followed your instructions and it's not fixed, but I think your're closing in on it.

Below is the latest WinPFind text file, after the program scan completed:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PTech 5/19/2005 6:00:00 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll
PECompact2 1/4/2006 9:41:02 PM 2827616 C:\WINNT\SYSTEM32\MRT.exe
aspack 1/4/2006 9:41:02 PM 2827616 C:\WINNT\SYSTEM32\MRT.exe
WinShutDown 8/8/2005 6:00:00 PM 64000 C:\WINNT\SYSTEM32\PFAUTO8.DLL
Umonitor 1/12/2005 1:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 12/6/1999 10:00:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
WinShutDown 2/2/2005 6:00:00 PM 72192 C:\WINNT\SYSTEM32\WPAUTO8.DLL

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/18/2006 1:55:58 PM S 64 C:\WINNT\CSC\00000001
1/18/2006 12:53:12 PM S 64 C:\WINNT\CSC\00000002
1/17/2006 8:38:46 AM S 64 C:\WINNT\CSC\csc1.tmp
12/26/2005 9:41:22 PM H 65 C:\WINNT\Downloaded Program Files\desktop.ini
1/1/2006 6:00:00 PM H 36656 C:\WINNT\Fonts\dosapp.fon
12/2/2005 6:00:00 PM H 5312 C:\WINNT\Fonts\ega80woa.fon
12/26/2005 9:41:20 PM H 65 C:\WINNT\Offline Web Pages\desktop.ini
1/18/2006 1:29:26 PM H 1024 C:\WINNT\system32\config\default.LOG
1/19/2006 2:56:50 AM H 1024 C:\WINNT\system32\config\SAM.LOG
1/19/2006 2:54:50 AM H 1024 C:\WINNT\system32\config\SECURITY.LOG
1/19/2006 2:59:14 AM H 1024 C:\WINNT\system32\config\software.LOG
12/25/2005 12:33:56 AM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\795573ed-3586-4db5-acdf-2055c0e16b3f
12/25/2005 12:33:56 AM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/18/2006 1:55:58 PM H 6 C:\WINNT\Tasks\SA.DAT
12/26/2005 8:35:42 PM RH 356 C:\WINNT\Temp\OLD10.tmp
12/26/2005 8:35:42 PM RH 2772940 C:\WINNT\Temp\OLDF.tmp
12/8/2005 6:00:00 PM H 830 C:\WINNT\Web\deskmovr.htt
12/14/2005 6:00:00 PM H 3210 C:\WINNT\Web\folder.htt
12/26/2005 9:41:26 PM H 11083 C:\WINNT\Web\ftp.htt
11/29/2005 6:00:00 PM H 16887 C:\WINNT\Web\imgview.htt

Checking for CPL files...
Microsoft Corporation 12/6/1999 10:00:00 PM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 7/30/2005 6:00:00 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
11/9/2005 2:38:50 PM 69632 C:\WINNT\SYSTEM32\av.cpl
Creative Technology Ltd. 8/24/2000 1:56:00 AM 228352 C:\WINNT\SYSTEM32\CTDetect.cpl
Microsoft Corporation 5/20/2005 6:00:00 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 12/6/1999 10:00:00 PM 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 12/6/1999 10:00:00 PM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 12/6/1999 10:00:00 PM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 3/16/2005 6:00:00 PM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 2/2/2005 6:00:00 PM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 12/6/1999 10:00:00 PM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 12/6/1999 10:00:00 PM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 12/6/1999 10:00:00 PM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/21/2005 6:00:00 PM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 1:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 7/9/2005 6:00:00 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
SiSoftware 8/21/2005 6:00:00 PM 53248 C:\WINNT\SYSTEM32\SanCpl.cpl
Microsoft Corporation 6/19/2003 1:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 5/1/2005 6:00:00 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 12/6/1999 10:00:00 PM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 3/29/2005 6:00:00 PM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 8/29/2005 6:00:00 PM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 1:40:00 PM 64784 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 9/23/1999 5:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 7/21/2005 6:00:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 6/19/2003 1:05:04 PM 41232 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2005 6:00:00 PM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/25/2005 9:57:54 AM 1581 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
12/25/2005 9:57:56 AM 1574 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
12/25/2005 9:57:56 AM 557 C:\Documents and Settings\clark\Start Menu\Programs\Startup\Webshots.lnk

Checking files in %USERPROFILE%\Application Data folder...
5/25/2005 6:00:00 PM 1604 C:\Documents and Settings\clark\Application Data\AdobeDLM.log
3/16/2005 4:29:12 PM 0 C:\Documents and Settings\clark\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Evidence Eliminator
   {B1816445-A3ED-11D3-B2B3-00104B4C6B08}    = C:\WINNT\system32\Eeshellx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ShellExtension
   {1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}    = C:\Program Files\WinAntiVirus Pro 2006\WAV6COM.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VersionsMenu
   {03170921-4754-11cf-AB9A-00C0F00683EB}    = E:\Corel\Suite8\Versions\CVersion.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
       =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
       = shellwp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Evidence Eliminator
   {B1816445-A3ED-11D3-B2B3-00104B4C6B08}    = C:\WINNT\system32\Eeshellx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
   {C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}    = C:\Corel\Suite8\Programs\PFSE80.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VersionsMenu
   {03170921-4754-11cf-AB9A-00C0F00683EB}    = E:\Corel\Suite8\Versions\CVersion.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
       =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
   {C0E10002-0028-0001-C0E1-C0E1C0E1C0E1}    = C:\Corel\Suite8\Programs\PFSE80.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ShellExtension
   {1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}    = C:\Program Files\WinAntiVirus Pro 2006\WAV6COM.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
       =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
    = %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
    = C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = blank

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINNT\System32\msdxm.ocx
   {2318C2B1-4965-11d4-9B18-009027A5CD4F}    = &Google   : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48A0-441B-A342-7C2A440A9478}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = blank

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} =    :
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} =    :
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} =    :
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar2.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} =    :
   {57F02779-3D88-4958-8AD3-83C12D86ADC7} =    :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Synchronization Manager   mobsync.exe /logon
   HPDJ Taskbar Utility   C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
   SunJavaUpdateSched   C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
   AdwareAlert   C:\Program Files\AdwareAlert\adwarealert.Exe -boot
   RAM Idle Professional   C:\Program Files\RAM Idle LE\RAM_XP.exe
   CTRegRun   C:\WINNT\CTRegRun.EXE
   Disc Detector   C:\Program Files\Creative\ShareDLL\CtNotify.exe
   WinAntiVirusPro2006   C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Evidence Eliminator   C:\Program Files\Evidence Eliminator\ee.exe /m
   ClocX   C:\Program Files\ClocX\ClocX.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
   NoActiveDesktopChanges   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   DisableTaskMgr   0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
   NoAddingComponents   0
   NoComponents   0
   NoDeletingComponents   0
   NoEditingComponents   0
   NoCloseDragDropBands   0
   NoMovingBands   0
   NoHTMLWallPaper   0
   NoChangingWallPaper   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   149
   CDRAutoRun   0
   NoActiveDesktop   0
   NoSaveSettings   0
   ClassicShell   0
   NoThemesTab   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
   DisableTaskMgr   0
   NoColorChoice   0
   NoSizeChoice   0
   NoDispScrSavPage   0
   NoDispCPL   0
   NoVisualStyleChoice   0
   NoDispSettingsPage   0
   NoDispAppearancePage   0
   NoDispBackgroundPage   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   Network.ConnectionTray    {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINNT\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
    = wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/19/2006 3:07:54 AM

guestolo · « **Reply #7 on:** January 19, 2006, 12:52:31 PM »

let's try this again
AdawareAlert may be interfering
and it's not a recommended tool
I would uninstall it, but regardless what you opt to do, I need you too disable it's realtime protections

Can you reboot back into safe mode
"Make sure you log into the account that is having the desktop problems"
Using Task Manager
New Task(Run) type in

appwiz.cpl
That should get you into add/remove programs
Uninstall AdawareAlert if you choose to go this route
But as I remind you, to ensure it's not interfering with any fixes we try, you must, at minimum disable it's realtime protections
If you can't find it in add/remove programs

Navigate to the following folder
C:\Program Files\AdwareAlert
Check to see if there is an uninstaller in the folder that you can run

If you can't find it in either add/remove or the adawarealert folder
Just delete the AdwareAlert folder

Run SmitRem's runthis.bat again, from the users account having desktop problems
When it's done, remain in safe mode

Using task manager, run Hijackthis.exe
Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe

Click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot into normal mode

Right click on the desktop and left click properties to bring up Display properties
If that won't work, open task manager>>New task
type in
desk.cpl
Click the Desktop tab.
Change your background You can change it back later if preferred
Click the Customize Desktop button.
Click the Web tab in the Desktop Items window.
Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

See if that helps the desktop issue

geekwanabe · « **Reply #8 on:** January 26, 2006, 12:20:38 AM »

Sorry for the delayed reply. My job responsibilities have imprisioned me!

Per your instructions, I cannot get appwiz.cpl to display using Task Manager; however, I was able to locate and execute the uninstall program to AdAwareAlert, so it appears to be gone. When I boot into safe mode and I select Windows 2000, I get a black screen with white characters, stating:

multi(0)disk(0)rdisk(0)partition(1)\WINNT\System32\ntoskrnl.exe

Actually, there are several of these\WINNT\ System32 messages. It seems to me that many Registry files are altered, or have been 'jacked. When I run SmitRem's runthis.bat, the text whizzes by, but everything says the items are either missing or can't be found. When I try to run the 'Disk Cleanup' section of Smit Rem, it freezes up. I've tried many times, but it is unable to scan the hard drives.

I was able to run Hijackthis, I ticked the three entries in R3, 04, & 016 , clicked on 'Fix checked', and later confirmed deletion of these.

When I reboot into normal mode, right clicking, left clicking...nothing...just a blank screen. When I boot into safe mode and access Task Manager, I type in the desk.cpl and the 'Display Properties' box comes up, but there is no desktop tab to click. I have only the following tabs: 'Background', 'Screen Saver', 'Appearance', and 'Settings'. There is no 'Web' tab displaying, so I can't uncheck the 'Show Web content on my Active Desktop' or any other item in the 'Web' tab category.

guestolo · « **Reply #9 on:** January 26, 2006, 01:29:06 AM »

Can you try the following

Navigate to this file, I don't recognize it
C:\WINNT\SYSTEM32\av.cpl

Right click on av.cpl and select properties
If a version tab select it, do you know what it's related too?
If not, right click on it and select Rename
Name it to av.cpl.old

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file to a floppy,cd, usb
Transfer to a folder of the infected computer

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoHTMLWallPaper"=-
"NoChangingWallPaper"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktop"=-
"ClassicShell"=-

Double click on fix.reg and allow to add/merge to the registry
Reboot the computer
Any change?

Also, could you open task manager, new task run
type in
explorer.exe
Do the icons show or do you get an error message, if so, what is the error message

TheTechGuide Forum

News:

Author Topic: Hijacked, plus missing Registry files? (Read 1921 times)

geekwanabe

Hijacked, plus missing Registry files?

guestolo

Hijacked, plus missing Registry files?

geekwanabe

Hijacked, plus missing Registry files?

guestolo

Hijacked, plus missing Registry files?

geekwanabe

Hijacked, plus missing Registry files?

guestolo

Hijacked, plus missing Registry files?

geekwanabe

Hijacked, plus missing Registry files?

guestolo

Hijacked, plus missing Registry files?

geekwanabe

Hijacked, plus missing Registry files?

guestolo

Hijacked, plus missing Registry files?