Author Topic: STRUCK by the AXE again! (Read 3432 times)

Firestrider · « **on:** January 31, 2006, 04:20:17 PM »

I didn't think this was going to happen again ... but SpyAxe, SpyStrike, and its army of gay spyware has found its way onto my computer.

I'm using these programs:
Microsoft AntiSpyware
Windows Firewall
AVG Anti-Virus 7.1.375

From my experience Windows Firewall is unreliable.

PLEASE HELP.

Here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:19:15 PM, on 1/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\rundll32.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\HijackThis\hijackthis.exe

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp4A2B.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] D:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

guestolo · « **Reply #1 on:** January 31, 2006, 05:41:34 PM »

Let's do the following to ensure we get you clean

==Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet

Download SmitRem.exe by Noahdfear and save the file to your desktop.
Don't run it yet

If you don't have the latest version of Ad-Aware
==Download and Install
Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
==In the event you already have Ad-aware, check for updates now please

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

Please Disable Microsoft AntiSpyware's realtime protections so it won't interfere in any fixes we try.
Leave these disabled until we're certain you are all clean
Open Microsoft AntiSpyware.
Click on Options>>Settings
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

In safe mode
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. Remain in safe mode

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp4A2B.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Reboot back to Normal mode
Can you post back the following please

1. Post back a fresh hijackthis log
2. Post the whole contents of the Ewido report
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt

NOTE: You will have to reset your background in Display properties
XP users using the XP theme may experience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

Firestrider · « **Reply #2 on:** February 01, 2006, 01:17:29 AM »

Logfile of HijackThis v1.99.1
Scan saved at 1:10:34 AM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/ac...mpaign=webda135
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         12:48:53 AM, 2/1/2006
+ Report-Checksum:      60E2BAC1

+ Scan result:

   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
   HKU\S-1-5-21-343818398-1767777339-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.20:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.23:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.24:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.25:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.31:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.37:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.116:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.133:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.158:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
   :mozilla.159:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
   :mozilla.160:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
   :mozilla.161:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.162:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.163:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.164:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.165:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.166:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.207:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.208:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.209:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.210:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.211:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.212:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.213:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.216:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.243:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.244:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
   :mozilla.247:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.248:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.249:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.250:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.251:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.252:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.253:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.254:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.255:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.256:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.275:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.276:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.277:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.278:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.293:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.294:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.295:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.297:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.303:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.304:C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
   D:\Program Files\Microsoft AntiSpyware\Quarantine\4D96BDB4-1A47-4A89-9EBE-45A447\0F9F4C13-ED4F-4ABC-B096-3E90EF -> Adware.SpywareStrike : Cleaned with backup
   D:\Program Files\Microsoft AntiSpyware\Quarantine\4D96BDB4-1A47-4A89-9EBE-45A447\4FB0F5BC-AAB3-4AED-9AB3-966C96 -> Adware.SpywareStrike : Cleaned with backup
   D:\Program Files\Microsoft AntiSpyware\Quarantine\4D96BDB4-1A47-4A89-9EBE-45A447\707CCA99-C0E3-4256-B66D-16EB6A -> Adware.SpywareStrike : Cleaned with backup
   D:\Program Files\Microsoft AntiSpyware\Quarantine\4D96BDB4-1A47-4A89-9EBE-45A447\AA56CA0D-5B2B-42CF-938E-5163E5 -> Adware.SpywareStrike : Cleaned with backup
   D:\Program Files\Microsoft AntiSpyware\Quarantine\4D96BDB4-1A47-4A89-9EBE-45A447\AAE2A90A-89D3-4B36-A16B-4EDC8E -> Adware.SpywareStrike : Cleaned with backup

::Report End

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 02/01/2006
The current time is: 0:28:17.48

Running from
C:\Documents and Settings\Sean Ryan\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files

~~~ Program Files ~~~

Security Toolbar

~~~ Shortcuts ~~~

~~~ Favorites ~~~

Antivirus Test Online.url

~~~ system32 folder ~~~

replmap.dll
1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1244 'explorer.exe'
Killing PID 1244 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #3 on:** February 01, 2006, 01:22:51 AM »

Did you run ATF-Cleaner and clean Firefox before running Ewido?

Can you do the following
It seems Microsoft AntiSpyware protections may still be running

Pay close attention
Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/ac...mpaign=webda135

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

post a fresh hijackthis log
Let me know how things are running

NOTE: If prompted at any time by Microsoft AntiSpyware about a change
ALLOW them so it won't interfere

Firestrider · « **Reply #4 on:** February 01, 2006, 06:56:21 AM »

Logfile of HijackThis v1.99.1
Scan saved at 6:55:40 AM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\HijackThis\hijackthis.exe

O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

No more popups or tray icons/blimps

guestolo · « **Reply #5 on:** February 01, 2006, 11:37:45 PM »

*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Make sure you keep SpywareBlaster updated

*Keep up to date on Windows updates
In the event your not set to Autoupdate, make a habit of checking Microsoft's website for latest High priority updates
This is very important in keeping your system secure

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

Quote

From my experience Windows Firewall is unreliable.

*A Firewall is very important in the protection of your computer
Windows Service pack 2 contains an adequate firewall protection
If you would like to consider a firewall with more controlled protection
Install one of the following
Sunbelt Kerio Personal Firewall

Zone Alarm by Zonelabs

OutPost by Agnitum

Sygate Personal Firewall

It's important to only use one Software firewall protection, this includes the one supplied with XP
More than one can cause a conflict

*Check for updates with your anti-spyware programs and run a scan on a regular basis
A great addition to Ad-Aware and Microsoft AntiSpyware
is Spybot 1.4, I recommend installing it if you don't have it
You can download it from HERE
or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check all boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer if any Red entries were fixed
Please Immunize after every update

You may also choose to hold onto Ewido
Ewido will become a Limited version in a couple weeks
It's still a very good scanner to update and run once a month

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Firestrider · « **Reply #6 on:** February 02, 2006, 04:01:09 PM »

OK thanks for all your help.

I have these anti-spyware and anti-virus programs installed:

AVG Anti-Virus
SpywareBlaster
Ewido Anti-Malware
Ad-Aware SE Personal
Microsoft AntiSpyware
Spyware - Search & Destroy

Is there any other options I should set on those?

What should be my startup programs? Right now I have AVG anti-virus and Microsoft AntiSpyware as startup programs.

How should I set up my schedulers? Right now I have AVG anti-virus, Microsoft AntiSpyware, and Windows Update to scan for updates daily at 12:00AM

guestolo · « **Reply #7 on:** February 03, 2006, 10:39:49 AM »

Use Ad-Aware>>Spybot>>Ewido as on demand scanners
Leave AVG and Microsoft AntiSpyware protections enabled for realtime protections

Your schedulers are user preference
They sound fine

AVG, for sure check everyday for updates
Windows updates>>I think you have the option to check every day or once a week
It would probably be safe to set to once a week, but that's up to you, the way you have it set is fine too
MAS>>Safe to set every week

Firestrider · « **Reply #8 on:** February 04, 2006, 12:17:05 AM »

Microsoft AntiSpyware keeps giving me this message:

Windows loads Explorer.exe, typically located in the Windows directory, during startup. If C:\Explorer.exe exists, it is run instead of Windows\Explorer.exe. Unless you have added this program specifically, you should block the change.

Even if I allow or remove and reboot it still pops up every 5 seconds.

guestolo · « **Reply #9 on:** February 04, 2006, 12:54:34 AM »

Can I see a couple different logs please
First post this one

Can I see a startup list from Hijackthis
Open Hijackthis>>Open the Misc tools section
Put a check in

List all minor sections (full)
and
List empty sections (complete)

Then click the "Generate Startuplist log"
Save this log to the desktop
Post the whole contents back here please

Then post this one
Can you do the following please
==Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

Firestrider · « **Reply #10 on:** February 04, 2006, 01:38:09 AM »

StartupList report, 2/4/2006, 1:34:24 AM
StartupList version: 1.52.2
Started from : D:\Program Files\HijackThis\hijackthis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Winamp\winamp.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\HijackThis\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Sean Ryan\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

gcasServ = "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
AVG7_CC = D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

MSN Messenger = C:\WINDOWS\system32\msn.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

MSN Messenger = C:\WINDOWS\system32\msn.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{DF893A39-F0C8-11CF-C5F5-0020AFEECC20}] *
StubPath = C:\WINDOWS\system32\1

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: PRESENT!
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
ASInsHelp: \??\C:\WINDOWS\system32\drivers\AsInsHelp32.sys (autostart)
aslm75: \??\C:\WINDOWS\system32\drivers\aslm75.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATITool Overclocking Utility: system32\DRIVERS\ATITool.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG E-mail Scanner: D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
ENTECH: \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido security suite control: D:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: D:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Sandra Data Service: D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe (manual start)
Sandra Service: D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{42986905-8FB1-4561-8DB9-541058B5B0C1} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller: system32\DRIVERS\yk51x86.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 31,739 bytes
Report generated in 0.093 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Firestrider · « **Reply #11 on:** February 04, 2006, 01:55:47 AM »

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
aspack 1/31/2006 1:45:42 PM HS 30720 C:\Explorer.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/2/2006 10:21:26 PM 451072 C:\WINDOWS\Radeon Omega Drivers v3.8.205 Uninstall.exe

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/4/2004 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 1/12/2006 11:32:12 AM 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/31/2006 1:45:42 PM HS 30720 C:\WINDOWS\SYSTEM32\msn.exe
aspack 8/4/2004 7:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 7:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/4/2006 1:42:14 AM S 2048 C:\WINDOWS\bootstat.dat
1/29/2006 6:01:34 PM H 54156 C:\WINDOWS\QTFont.qfn
2/1/2006 1:12:54 AM HS 7680 C:\WINDOWS\Thumbs.db
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
1/29/2006 3:40:52 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
1/29/2006 3:40:52 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
1/29/2006 3:40:52 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
2/1/2006 7:12:56 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index2a.dat
2/1/2006 7:12:58 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index2b.dat
1/29/2006 2:05:04 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
1/29/2006 2:05:38 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
1/29/2006 2:29:26 PM H 0 C:\WINDOWS\inf\oem2.inf
1/29/2006 2:05:04 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
1/29/2006 2:05:22 PM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
1/29/2006 2:05:22 PM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
1/29/2006 2:05:22 PM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
1/29/2006 2:06:10 PM H 225280 C:\WINDOWS\repair\ntuser.dat
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
1/29/2006 2:05:04 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
1/31/2006 1:45:42 PM HS 30720 C:\WINDOWS\system32\msn.exe
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
1/29/2006 2:05:04 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/13/2006 4:35:06 AM S 89928 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem6.CAT
2/4/2006 1:42:08 AM H 8192 C:\WINDOWS\system32\config\default.LOG
2/4/2006 1:42:46 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/4/2006 1:42:14 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
2/4/2006 1:43:22 AM H 57344 C:\WINDOWS\system32\config\software.LOG
2/4/2006 1:42:18 AM H 761856 C:\WINDOWS\system32\config\system.LOG
1/29/2006 8:51:42 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
1/29/2006 8:51:44 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
1/29/2006 2:42:12 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/29/2006 8:53:14 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
1/29/2006 2:29:40 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
1/29/2006 2:29:36 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/29/2006 2:30:08 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/29/2006 2:29:40 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
1/29/2006 2:29:36 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/29/2006 2:30:08 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
1/29/2006 8:53:14 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
1/29/2006 2:09:10 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
1/29/2006 2:09:10 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
1/29/2006 2:09:10 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
1/29/2006 2:05:06 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
1/29/2006 8:53:14 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
1/29/2006 2:06:08 PM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
1/29/2006 2:06:08 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
1/29/2006 2:06:08 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
1/29/2006 2:06:08 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
1/29/2006 2:06:08 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
1/29/2006 3:14:32 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9aa208a6-dc02-49fc-a8bd-41304e455a03
1/29/2006 3:14:32 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
1/29/2006 2:09:14 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\884365cf-d9c3-489a-9570-0d25828f130f
1/29/2006 2:09:14 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2/4/2006 1:41:18 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Realtek Semiconductor Corp. 1/8/2004 1:53:58 PM 14204416 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/30/2004 11:17:14 AM 135168 C:\WINDOWS\SYSTEM32\DIRECTX.CPL
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
SiSoftware 10/9/2005 9:14:20 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Realtek Semiconductor Corp. 1/8/2004 1:53:58 PM 14204416 C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/29/2006 2:06:08 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/29/2006 8:53:14 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
2/1/2006 7:29:32 PM 3240 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
1/29/2006 2:06:08 PM HS 84 C:\Documents and Settings\Sean Ryan\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/29/2006 8:53:14 AM HS 62 C:\Documents and Settings\Sean Ryan\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   gcasServ   "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
   AVG7_CC   D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   MSN Messenger   C:\WINDOWS\system32\msn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   MSN Messenger   C:\WINDOWS\system32\msn.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1
   DisableTaskMgr   0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
   NoChangingWallPaper   0
   NoAddingComponents   0
   NoComponents   0
   NoDeletingComponents   0
   NoEditingComponents   0
   NoCloseDragDropBands   0
   NoMovingBands   0
   NoHTMLWallPaper   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoActiveDesktop   0
   NoSaveSettings   0
   ClassicShell   0
   NoThemesTab   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
   DisableTaskMgr   0
   NoDispAppearancePage   0
   NoColorChoice   0
   NoSizeChoice   0
   NoDispBackgroundPage   0
   NoDispScrSavPage   0
   NoDispCPL   0
   NoVisualStyleChoice   0
   NoDispSettingsPage   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/4/2006 1:48:13 AM

guestolo · « **Reply #12 on:** February 04, 2006, 01:24:13 PM »

Can you do me a favor please
I want to see what these files are related too and check to make sure on file isn't corrupt

Can you also go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard disk
It's a legit file, I just want to make sure it's OK
C:\WINDOWS\Explorer.exe <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same with the next 2 please, they are definitely bad, I just want to see what they're related too
C:\Explorer.exe
C:\WINDOWS\SYSTEM32\msn.exe

Also, Can you download Find.zip
UNZIP the contents to your desktop so you now have Find.bat extracted
Double click on Find.bat
A text file will open, copy and paste the whole contents back here please

Firestrider · « **Reply #13 on:** February 04, 2006, 03:12:07 PM »

File: C:\WINDOWS\Explorer.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

File: C:\Explorer.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

File: C:\WINDOWS\SYSTEM32\msn.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:000002f8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:8f,b2,b8,32,cb,0d,c3,4b,5c,10,88,cf,da,35,82,9d,64,61,39,36,33,\
66,32,36,00,fd,07,00,d1,27,00,00,34,fa,07,00,56,82,7c,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,8f,2c,a0,d2,24,ac,96,eb,44,30,cc,da

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b7,ee,e0,bd,36,96,36,48,4e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:ba,e9,fa,38,e5,e8

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:8c,4b,47,ce,9a,c5,80,bd,5a,d4,f0,f2,11,9d,80,a7

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:66,9e,5d,23,0b,25,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

guestolo · « **Reply #14 on:** February 04, 2006, 03:26:54 PM »

Those 2 files are definitely bad

But can you do the following for me please
Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

Post back this report please, don't reboot the computer yet

Firestrider · « **Reply #15 on:** February 04, 2006, 07:19:20 PM »

Code: [Select]

Incident																		Status						Location																																																														

Spyware:Cookie/Falkag														   Not disinfected			   C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt[]																																					
Spyware:Cookie/Server.iad.Liveperson											Not disinfected			   C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt[89178482]																																			
Spyware:Cookie/Server.iad.Liveperson											Not disinfected			   C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt[]																																					
Spyware:Cookie/Server.iad.Liveperson											Not disinfected			   C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt[34292599]																																			
Spyware:Cookie/Serving-sys													  Not disinfected			   C:\Documents and Settings\Sean Ryan\Application Data\Mozilla\Firefox\Profiles\yfqpc5gb.default\cookies.txt[]

guestolo · « **Reply #16 on:** February 05, 2006, 01:12:52 AM »

Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
This will open an empty notepad file
Copy the contents of the CODE box to notepad, not including the word "code"
Paste this too the empty notepad file you just opened
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet
Ensure to save from REGEDIT4 and below in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSN Messenger"=- 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSN Messenger"=-

Reboot into safe mode

Navigate to the following files, make sure you are in navigating to the correct locations please
C:\Explorer.exe
C:\WINDOWS\SYSTEM32\msn.exe

Right click on Explorer.exe and rename it too Explorer.old
Right click on msn.exe and rename too msn.old

Double click on fix.reg and allow to add/merge to the registry

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder
Let me know how things are running please

Firestrider · « **Reply #17 on:** February 12, 2006, 12:02:59 AM »

Sorry for the delay.

I couldn't navigate to either of those files (even in the address bar).

Here is my WinPFind.txt:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
aspack 1/31/2006 1:45:42 PM HS 30720 C:\Explorer.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 2/2/2006 10:21:26 PM 451072 C:\WINDOWS\Radeon Omega Drivers v3.8.205 Uninstall.exe

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/4/2004 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 1/26/2006 1:36:02 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 1/26/2006 1:36:02 PM 574976 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 1/12/2006 11:32:12 AM 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/31/2006 1:45:42 PM HS 30720 C:\WINDOWS\SYSTEM32\msn.exe
aspack 8/4/2004 7:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 7:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 1/29/2006 4:40:44 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/11/2006 11:49:02 PM S 2048 C:\WINDOWS\bootstat.dat
1/29/2006 6:01:34 PM H 54156 C:\WINDOWS\QTFont.qfn
2/1/2006 1:12:54 AM HS 7680 C:\WINDOWS\Thumbs.db
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
1/29/2006 3:40:52 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
1/29/2006 3:40:52 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
1/29/2006 3:40:52 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
2/1/2006 7:12:56 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index2a.dat
2/1/2006 7:12:58 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index2b.dat
1/29/2006 2:05:04 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
1/29/2006 2:05:38 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
1/29/2006 2:29:26 PM H 0 C:\WINDOWS\inf\oem2.inf
1/29/2006 2:05:04 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
1/29/2006 2:05:22 PM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
1/29/2006 2:05:22 PM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
1/29/2006 2:05:22 PM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
1/29/2006 2:06:10 PM H 225280 C:\WINDOWS\repair\ntuser.dat
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
1/29/2006 2:05:04 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
1/31/2006 1:45:42 PM HS 30720 C:\WINDOWS\system32\msn.exe
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
1/29/2006 2:05:04 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
1/29/2006 2:04:58 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
2/11/2006 11:48:56 PM H 8192 C:\WINDOWS\system32\config\default.LOG
2/11/2006 11:49:10 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/11/2006 11:49:02 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
2/11/2006 11:52:00 PM H 86016 C:\WINDOWS\system32\config\software.LOG
2/11/2006 11:49:06 PM H 770048 C:\WINDOWS\system32\config\system.LOG
1/29/2006 8:51:42 AM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
1/29/2006 8:51:44 AM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
1/29/2006 2:42:12 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/29/2006 8:53:14 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
1/29/2006 2:29:40 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
1/29/2006 2:29:36 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/29/2006 2:30:08 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/29/2006 2:29:40 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
1/29/2006 2:29:36 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/29/2006 2:30:08 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
1/29/2006 8:53:14 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
1/29/2006 2:09:10 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
1/29/2006 2:09:10 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
1/29/2006 2:09:10 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
1/29/2006 2:05:06 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
1/29/2006 8:53:14 AM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
1/29/2006 2:06:08 PM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
1/29/2006 2:06:08 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
1/29/2006 2:06:08 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
1/29/2006 2:06:08 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
1/29/2006 2:06:08 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
1/29/2006 3:14:32 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9aa208a6-dc02-49fc-a8bd-41304e455a03
1/29/2006 3:14:32 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
1/29/2006 2:09:14 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\884365cf-d9c3-489a-9570-0d25828f130f
1/29/2006 2:09:14 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2/11/2006 11:48:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Realtek Semiconductor Corp. 1/8/2004 1:53:58 PM 14204416 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/30/2004 11:17:14 AM 135168 C:\WINDOWS\SYSTEM32\DIRECTX.CPL
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
SiSoftware 10/9/2005 9:14:20 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Realtek Semiconductor Corp. 1/8/2004 1:53:58 PM 14204416 C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/29/2006 2:06:08 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/29/2006 8:53:14 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
2/1/2006 7:29:32 PM 3240 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
1/29/2006 2:06:08 PM HS 84 C:\Documents and Settings\Sean Ryan\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/29/2006 8:53:14 AM HS 62 C:\Documents and Settings\Sean Ryan\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\system32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   gcasServ   "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
   AVG7_CC   D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   MSN Messenger   C:\WINDOWS\system32\msn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSN Messenger   C:\WINDOWS\system32\msn.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1
   DisableTaskMgr   0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
   NoChangingWallPaper   0
   NoAddingComponents   0
   NoComponents   0
   NoDeletingComponents   0
   NoEditingComponents   0
   NoCloseDragDropBands   0
   NoMovingBands   0
   NoHTMLWallPaper   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoActiveDesktop   0
   NoSaveSettings   0
   ClassicShell   0
   NoThemesTab   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
   DisableTaskMgr   0
   NoDispAppearancePage   0
   NoColorChoice   0
   NoSizeChoice   0
   NoDispBackgroundPage   0
   NoDispScrSavPage   0
   NoDispCPL   0
   NoVisualStyleChoice   0
   NoDispSettingsPage   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
    = Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/11/2006 11:57:26 PM

I still get the error message from Microsoft AntiSpyware. Thank you for your help.

I made a small donation for your cause

guestolo · « **Reply #18 on:** February 12, 2006, 12:41:55 PM »

You should be able to navigate to them as you do with Jotti's online scan
Can you open a notepad file and save these instructions to them
Save this too the desktop
Close all other windows, keep only this text file open

Can you do the following please
Shutdown Microsoft AntiSpyware by right clicking the icon by the clock and select ShutDown
OK the prompt
We don't want MAS interfering

Open Your Task Manager by right clicking the bottom task bar and select Task Manager
Under the Processes tab>>End process on "Explorer.exe"
This is the legit Explorer.exe, we just want to stop it from running for now
Your task bar and Icons will disappear, not to worry
You should still have the text file with instructions open and Task manager

Stay with Task manager
Click FILE in the top menu bar and then
New Task(Run..)
Click the Browse button
In the Look in: drop down box select Local Disk C:
You should now see the file "Explorer.exe"
Right click on it and rename to Explorer.old

After that is done, double click on the "Windows" folder
in Task manager
Then double click on "System32" folder
Look for "msn.exe"
Right click on it and rename it

After that is done close the Browse button
in Create New Task Open field
type the following
explorer.exe then click OK
Your task bar and icons will reappear

Post a fresh hijackthis log afterwards

Firestrider · « **Reply #19 on:** February 18, 2006, 02:02:41 PM »

Logfile of HijackThis v1.99.1
Scan saved at 2:01:48 PM, on 2/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
D:\Program Files\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O4 - HKCU\..\RunServices: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

News:

Author Topic: STRUCK by the AXE again! (Read 3432 times)