Author Topic: Winhound (Read 7057 times)

Miromc · « **Reply #20 on:** December 17, 2005, 02:46:25 PM »

Just a quick question.

I don't want to disable system restore simply because I don't want to loose all the restore points that were before the virus hit. This won't negatively affect my system in anyway will it?

I'll get to your other steps later tonight. I'm off to work now, I should have those steps completed by 2 AM EST.

guestolo · « **Reply #21 on:** December 17, 2005, 02:57:38 PM »

As you can see by your Ewido log
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023728.dll -> Adware.SpySheriff : Cleaned with backup

That's your system restore folders
The best and only way to actually clean these from your system
Is the steps I provided earlier on clearing your restore points
<Ewido may not of found everthing>

If everything is running better, why not start with a nice clean restore point

It's optional you do this step, but if you find everything is running good, I would do it
How would you ever know if a trojan is not waiting in your restore folder
Waiting to bite you again

Miromc · « **Reply #22 on:** December 18, 2005, 02:15:17 AM »

[quote name=\'guestolo\' post=\'77557\' date=\'Dec 17 2005, 02:43 PM\']If you would like to disable some entries from running on startup using resources
I like this small little too
It's a small download
Don't disable something unless your sure, obviously don't disable your AV from running on startup
Codestuff's Starter
UNZIP it to a folder of it's own
Eg...Open MyDocuments>>Right click an empty spot and left click NEW>>Folder
Name it something like "Starter"
Uncheck an item to disable on startup
Or look within a program first to disable on startup

Use this link to track down what you need or don't need
http://castlecops.com/modules.php?name=StartupList[/quote]

Can't I do that exact same thing from MSCONFIG?

Quote

I'm not sure of your system specs.
How much Ram in your computer?

The Computer is a Dell Inspiron 8500.
RAM = 512MB
Processor Speed = 1.95 GHZ, Pentium 4
Windows XP, SP1

guestolo · « **Reply #23 on:** December 18, 2005, 02:20:45 AM »

The great debate whether to use Msconfig or not to use Msconfig
I like to leave it for troubleshooting purposes, but Yes, you can use msconfig to disable your runkeys and global startups

I'll leave that option up to you too
However Starter is a small download and easy to use

Miromc · « **Reply #24 on:** December 18, 2005, 03:48:54 AM »

Well, since I know how to use it, I just disabled a few things in msconfig and I finally completed the defragmentation.

guestolo · « **Reply #25 on:** December 18, 2005, 03:50:39 AM »

I hope things have improved performance wise on your side a bit anyways?

Miromc · « **Reply #26 on:** December 18, 2005, 04:05:20 AM »

Preformance wise, perhaps a tiny bit....but it's still really slow. I doubt anything can be done anyway to speed it up besides just formatting it...........which I want to do, but am not allowed to do.

guestolo · « **Reply #27 on:** December 18, 2005, 01:00:26 PM »

Can we just take another look at another log

==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

Do you have any other user accounts on this computer?

Miromc · « **Reply #28 on:** December 18, 2005, 02:10:15 PM »

Here is the log file.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

Checking %System% folder...
PEC2 08/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
FSG! 12/15/2005 5:59:56 PM 6529 C:\WINDOWS\SYSTEM32\kernels64.exe
UPX! 05/15/2004 3:10:42 PM 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 06/19/2004 5:28:44 PM 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
FSG! 12/15/2005 6:00:18 PM 14901 C:\WINDOWS\SYSTEM32\msvcp.exe
Umonitor 08/29/2002 5:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 12/15/2005 6:00:18 PM 14901 C:\WINDOWS\SYSTEM32\split1.exe
UPX! 10/30/2005 8:49:02 PM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
winsync 08/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/18/2005 1:54:22 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
12/16/2005 12:18:20 PM RHS 44032 C:\WINDOWS\SYSTEM\svwhost.dll
12/18/2005 1:54:12 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
12/18/2005 1:54:42 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
12/18/2005 1:54:24 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
12/18/2005 1:55:34 PM H 73728 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
12/18/2005 1:54:26 PM H 1060864 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A7T4I1DL\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KUS891H3\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QZOSI8UH\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R64H38VO\desktop.ini
11/03/2005 8:42:20 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\9cd91cb9-1a7e-4a3e-ad8a-ec1d276e6c53
11/03/2005 8:42:20 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
12/11/2005 7:35:54 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\dd5fa404-51a5-421e-aaa4-37036c4b5c24
12/11/2005 7:35:54 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
12/18/2005 1:53:16 PM H 6 C:\WINDOWS\Tasks\SA.DAT
12/18/2005 1:50:02 PM HS 113 C:\WINDOWS\temp\History\History.IE5\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\4HCC27AY\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\M54PAPYB\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\PHRS2L4E\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\UM2UYZXY\desktop.ini

Checking for CPL files...
Microsoft Corporation 08/29/2002 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 01/03/2003 11:43:28 AM 798720 C:\WINDOWS\SYSTEM32\B57exp.cpl
05/24/2002 11:45:48 AM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 08/29/2002 5:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 06/12/2003 11:44:04 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 04/11/2001 12:22:06 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 04/09/2003 10:13:02 PM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 08/29/2002 5:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 05/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
06/12/2003 11:44:28 AM 730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
09/03/2002 9:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
05/10/2005 6:12:52 PM 920 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
09/03/2002 8:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
07/26/2004 11:34:00 AM 3282 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
09/03/2002 9:00:00 AM HS 84 C:\Documents and Settings\Cheryl McHugh\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
05/27/2005 10:09:40 AM 1168 C:\Documents and Settings\Cheryl McHugh\Application Data\AdobeDLM.log
09/03/2002 8:50:46 AM HS 62 C:\Documents and Settings\Cheryl McHugh\Application Data\DESKTOP.INI
05/27/2005 10:09:40 AM 0 C:\Documents and Settings\Cheryl McHugh\Application Data\dm.ini
12/29/2003 6:04:08 PM 61248 C:\Documents and Settings\Cheryl McHugh\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
   ButtonText    = Real.com   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MCUpdateExe   C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
   HPDJ Taskbar Utility   C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
   HPHUPD05   C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
   HP Component Manager   "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
   HPHmon05   C:\WINDOWS\System32\hphmon05.exe
   VirusScan Online   c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
   Share-to-Web Namespace Daemon   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   RealTray   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   MCAgentExe   C:\Program Files\McAfee.com\Agent\mcagent.exe
   HPHUPD04   "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
   HPHmon04   C:\WINDOWS\System32\hphmon04.exe
   HP Software Update   "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
   EM_EXEC   C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
   DVDSentry   C:\WINDOWS\System32\DSentry.exe
   Dell QuickSet   C:\Program Files\Dell\QuickSet\quickset.exe
   CamMonitor   C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
   AdaptecDirectCD   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   PCTVOICE   pctspk.exe
   ATIPTA   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
   Apoint   C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background
   DellSupport   "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   backup   C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
   item   Microsoft Office
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   backup   C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
   item   Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
   backup   C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\Nikon\NkView6\NkvMon.exe
   item   NkvMon.exe
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
   backup   C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\Nikon\NkView6\NkvMon.exe
   item   NkvMon.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Ati2mdxx
   hkey   HKLM
   command   Ati2mdxx.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1
   DisableTaskMgr   0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
   NoComponents   0
   NoAddingComponents   0
   NoDeletingComponents   0
   NoEditingComponents   0
   NoHTMLWallPaper   1
   NoChangingWallPaper   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoActiveDesktop   0
   NoSaveSettings   0
   ClassicShell   0
   NoThemesTab   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
   DisableTaskMgr   0
   NoColorChoice   0
   NoSizeChoice   0
   NoDispScrSavPage   0
   NoDispCPL   0
   NoVisualStyleChoice   0
   NoDispSettingsPage   0
   NoDispAppearancePage   0
   NoDispBackgroundPage   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/18/2005 2:02:37 PM

As for other user accounts. There are 4 on this computer, but the other three haven't been used since we bought the laptop 3 years ago.

guestolo · « **Reply #29 on:** December 18, 2005, 02:30:17 PM »

I still see some bad files
I want to check on a couple

Can you make sure to
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Can you go to this site
Jotti's Online Malware scan
Give this site time to load if busy

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\msvcp.exe <-this file

Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Do the same for this file please
C:\WINDOWS\SYSTEM32\split1.exe

Miromc · « **Reply #30 on:** December 18, 2005, 10:02:48 PM »

Here is the first one.

Service load:
0%              100%
File:    msvcp.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5    5862f660195b099581e0985afd947f3c
Packers detected:
FSG
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.zt
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

Here is the second one

Service load:
0%              100%
File:    split1.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5    5862f660195b099581e0985afd947f3c
Packers detected:
FSG
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-Downloader.Win32.Agent.zt
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

guestolo · « **Reply #31 on:** December 18, 2005, 10:33:22 PM »

Okay, thought they would come out to be bad

Can you do the following please
Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe
http://www.atribune.org/downloads/KillBox.exe

Please open Notepad, save these instructions to a Notepad file and save it to your desktop for easy access

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Select Safe mode from the Startup menu

Once in safe mode
Start Killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste entry below in bold

C:\WINDOWS\SYSTEM32\kernels64.exe

Then click the Red Circle with the White X
Allow to make a backup and delete the file

Carry on with the same instructions with the rest of these

C:\WINDOWS\SYSTEM32\msvcp.exe
C:\WINDOWS\SYSTEM32\split1.exe
C:\WINDOWS\SYSTEM\svwhost.dll

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
Decline to Log off or Restart the computer

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows

Post the results of the WindPFind.txt located in the WinPFind folder

Could you also go back to Jotti's online malware scan and scan this file and post the results
C:\WINDOWS\SYSTEM32\cpl_moh.cpl <-this file

EDIT>>Could you also post a fresh hijackthis log please

Miromc · « **Reply #32 on:** December 18, 2005, 11:07:47 PM »

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

Checking %System% folder...
PEC2 08/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
UPX! 05/15/2004 3:10:42 PM 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 06/19/2004 5:28:44 PM 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
Umonitor 08/29/2002 5:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 10/30/2005 8:49:02 PM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
winsync 08/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/18/2005 10:45:06 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
12/18/2005 10:44:56 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
12/18/2005 10:45:24 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
12/18/2005 10:45:08 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
12/18/2005 10:50:02 PM H 184320 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
12/18/2005 10:51:26 PM H 1155072 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A7T4I1DL\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KUS891H3\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QZOSI8UH\desktop.ini
12/17/2005 2:04:12 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R64H38VO\desktop.ini
11/03/2005 8:42:20 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\9cd91cb9-1a7e-4a3e-ad8a-ec1d276e6c53
11/03/2005 8:42:20 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
12/11/2005 7:35:54 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\dd5fa404-51a5-421e-aaa4-37036c4b5c24
12/11/2005 7:35:54 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
12/18/2005 10:44:00 PM H 6 C:\WINDOWS\Tasks\SA.DAT
12/18/2005 1:50:02 PM HS 113 C:\WINDOWS\temp\History\History.IE5\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\4HCC27AY\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\M54PAPYB\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\PHRS2L4E\desktop.ini
12/18/2005 1:50:02 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\UM2UYZXY\desktop.ini

Checking for CPL files...
Microsoft Corporation 08/29/2002 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 01/03/2003 11:43:28 AM 798720 C:\WINDOWS\SYSTEM32\B57exp.cpl
05/24/2002 11:45:48 AM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 08/29/2002 5:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 06/12/2003 11:44:04 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 04/11/2001 12:22:06 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 04/09/2003 10:13:02 PM 81920 C:\WINDOWS\SYSTEM32\STAC97.cpl
Microsoft Corporation 08/29/2002 5:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 08/29/2002 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 05/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
06/12/2003 11:44:28 AM 730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
09/03/2002 9:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
05/10/2005 6:12:52 PM 920 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
09/03/2002 8:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
07/26/2004 11:34:00 AM 3282 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
09/03/2002 9:00:00 AM HS 84 C:\Documents and Settings\Cheryl McHugh\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
05/27/2005 10:09:40 AM 1168 C:\Documents and Settings\Cheryl McHugh\Application Data\AdobeDLM.log
09/03/2002 8:50:46 AM HS 62 C:\Documents and Settings\Cheryl McHugh\Application Data\DESKTOP.INI
05/27/2005 10:09:40 AM 0 C:\Documents and Settings\Cheryl McHugh\Application Data\dm.ini
12/29/2003 6:04:08 PM 61248 C:\Documents and Settings\Cheryl McHugh\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
   ButtonText    = Real.com   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MCUpdateExe   C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
   HPDJ Taskbar Utility   C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
   HPHUPD05   C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
   HP Component Manager   "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
   HPHmon05   C:\WINDOWS\System32\hphmon05.exe
   VirusScan Online   c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
   Share-to-Web Namespace Daemon   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   RealTray   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   MCAgentExe   C:\Program Files\McAfee.com\Agent\mcagent.exe
   HPHUPD04   "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
   HPHmon04   C:\WINDOWS\System32\hphmon04.exe
   HP Software Update   "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
   EM_EXEC   C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
   DVDSentry   C:\WINDOWS\System32\DSentry.exe
   Dell QuickSet   C:\Program Files\Dell\QuickSet\quickset.exe
   CamMonitor   C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
   AdaptecDirectCD   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   PCTVOICE   pctspk.exe
   ATIPTA   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
   Apoint   C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background
   DellSupport   "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   backup   C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
   item   Microsoft Office
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
   backup   C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
   item   Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
   backup   C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\Nikon\NkView6\NkvMon.exe
   item   NkvMon.exe
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
   backup   C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\Nikon\NkView6\NkvMon.exe
   item   NkvMon.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Ati2mdxx
   hkey   HKLM
   command   Ati2mdxx.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1
   DisableTaskMgr   0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
   NoComponents   0
   NoAddingComponents   0
   NoDeletingComponents   0
   NoEditingComponents   0
   NoHTMLWallPaper   1
   NoChangingWallPaper   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoActiveDesktop   0
   NoSaveSettings   0
   ClassicShell   0
   NoThemesTab   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
   DisableTaskMgr   0
   NoColorChoice   0
   NoSizeChoice   0
   NoDispScrSavPage   0
   NoDispCPL   0
   NoVisualStyleChoice   0
   NoDispSettingsPage   0
   NoDispAppearancePage   0
   NoDispBackgroundPage   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/18/2005 10:58:06 PM

Service load:
0%              100%
File:    cpl_moh.cpl
Status:
OK
MD5    df6b52f4094d4ec2d88382ccee4a7058
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

Logfile of HijackThis v1.99.1
Scan saved at 11:07:32 PM, on 12/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

guestolo · « **Reply #33 on:** December 18, 2005, 11:46:25 PM »

Hi again, did that help any???
Seems as if Kapersky's was one of the 2 scanners identifying the bad files

Could you do the following please
We may find more bad guys hiding
Please run a free online scan with Kaspersky AntiVirus <works only with Internet Explorer>
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

* In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
* When you get the Windows dialog asking if you want to install this software, click the "Install" button.
* When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
* Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
* Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Miromc · « **Reply #34 on:** December 19, 2005, 12:38:49 AM »

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 19, 2005 00:37:05
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/12/2005
Kaspersky Anti-Virus database records: 166022
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 35617
   Number of viruses found: 18
   Number of infected objects: 67
   Number of suspicious objects: 0
   Duration of the scan process: 1823 sec

Infected Object Name - Virus Name
C:\!KillBox\kernels64.exe   Infected: Trojan-Downloader.Win32.Tibs.p
C:\!KillBox\msvcp.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\!KillBox\split1.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\!KillBox\svwhost.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP621\A0021088.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP621\A0021096.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP621\A0021113.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP621\A0021224.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP621\A0021228.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP621\A0021232.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP622\A0021261.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP622\A0021265.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP622\A0021268.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP623\A0021293.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP623\A0021315.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP623\A0021317.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021363.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021365.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021395.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021405.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021412.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021435.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021447.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021451.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021472.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021479.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021489.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021517.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021528.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021541.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021562.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021573.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0021582.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0022562.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0022575.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0022585.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0022613.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0022615.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0022632.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023682.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023690.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023696.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023700.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023702.dll   Infected: Backdoor.Win32.Agent.qr
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023707.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023731.dll   Infected: Trojan-Proxy.Win32.Small.ct
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023732.exe   Infected: Trojan-Dropper.Win32.Agent.aax
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023733.exe   Infected: Backdoor.Win32.Agent.px
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023734.exe   Infected: Trojan.Win32.Inject.i
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023737.exe   Infected: Trojan-Dropper.Win32.Agent.ri
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023738.exe   Infected: Trojan-Dropper.Win32.Agent.abu
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023739.exe   Infected: Trojan-Downloader.Win32.Tibs.s
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023740.exe   Infected: Trojan-Downloader.Win32.Small.bho
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023741.dll   Infected: Trojan-Downloader.Win32.Agent.pi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023744.exe   Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023745.exe   Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023746.exe   Infected: Trojan-Clicker.Win32.Spywad.n
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023747.exe   Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023748.exe   Infected: Trojan-Downloader.Win32.Small.cbe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023749.dll   Infected: Trojan-Downloader.Win32.Delf.zu
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023754.dll   Infected: Trojan-Proxy.Win32.Delf.al
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP625\A0023755.exe   Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP626\A0023838.dll   Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP627\A0023972.exe   Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP627\A0023973.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP627\A0023974.exe   Infected: Trojan-Downloader.Win32.Agent.zt
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP627\A0023975.dll   Infected: Backdoor.Win32.Agent.qr

Scan process completed.

guestolo · « **Reply #35 on:** December 19, 2005, 12:45:45 AM »

I notice it found a lot of bad files in your system restore folder
I've gave you a warning about that already

You can delete this folder made by Killbox
C:\!KillBox <-this folder

How is everything running?

I like to hear how it's going instead of guessing at it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Miromc · « **Reply #36 on:** December 19, 2005, 12:55:25 AM »

Yeah, I know I have a lot of bad stuff in my system restore, but I do't want to delete that. I'll take my chances with it. Like I said, we run a business on this machine, and I want a system resotre just in case. PLus, the restore files before the infectios would still be good, wouldn't they?

The computer is running like it did before the virus(es) hit. Now it is back to being its slow self again. One day I will convince everyone to let my format the stupid thing.

guestolo · « **Reply #37 on:** December 19, 2005, 01:03:39 AM »

Quote

Yeah, I know I have a lot of bad stuff in my system restore, but I do't want to delete that. I'll take my chances with it. Like I said, we run a business on this machine, and I want a system resotre just in case. PLus, the restore files before the infectios would still be good, wouldn't they?

Whoa! That's definitely no guarantee
The whole complete restore folders could have trojans or bad reg. settings waiting to come back on you
I never did ask you too keep it completely disabled
I wanted you to disable system restore and then reboot than reenable it
That way you could restore back to this time right now

Are you getting any popups or anything like that
Are you planning to run system restore on the computer to restore to a time before the viruses started?

Is there any way you could post a hijackthis log from the other user accounts

When you say the system is slow, Is it Windows in General or the Internet?

Miromc · « **Reply #38 on:** December 19, 2005, 01:22:08 AM »

I don't ever plan on doing a system restore, but if I do, I want the option to go back to before the viruses hit.

Windows is slow......Windows is VERY slow.

Here is the HiJackThis log from another account.

Logfile of HijackThis v1.99.1
Scan saved at 2:22:47 AM, on 12/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

guestolo · « **Reply #39 on:** December 19, 2005, 01:43:16 AM »

Nothing malicious in there
I guess it must be something else

I don't want to argue the System Restore debate any further
That I will leave up to you

So the computers as slow as it was before the viruses hit
Do you know what you installed before the slowdown or is it progressively just slowing down?

It's been some time since your last clean install of the system, may be time to do a cleanup

One last look at another log, then we can probably say it's not malware related
Please download Rootkit Revealer (link is at the very bottom of the page)

* Unzip it to your desktop.
* Open the rootkitrevealer folder and double-click rootkitrevealer.exe
* Click the Scan button (bottom right)
* It may take a while to scan (don't do anything while it's running)
* When it's done, go up to File > Save. Choose to save it to your desktop.
* Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

I noticed something I missed in your other user account

Can you repost a fresh hijackthis log from the original user account we started with
I noticed 2
C:\Windows\Explorer.exe's running in your processes
There should only be one

Also supply the Rootkit Revealer log

News:

Author Topic: Winhound (Read 7057 times)