Author Topic: need help with win32.p2p worm alcan.a (Read 1574 times)

purepremium2006 · « **on:** June 10, 2006, 03:32:23 AM »

Hi, First off I'd like to thank you guys for taking your time to help people like me who have this annoying bug on their comps... I don't understand why a fellow human being would build viuses or worms...

I was trying to install Xp home on my desktop (I bought it for my laptop) and it said my product key was no good so I downloaded a program called kf141.zip to identify my product key. I dl'ed 2 versions, one of them gave me this worm. So any help on getting XP to work on my desktop would be greatly appreciated as well. Now on to the issue at hand.

I've read through some of the posts here and did some self help but would like to get someone to look through my logs and see if my comp's clean.

I downloaded a AlcanFix.zip from another site and also ran SmitfraudFix from this site. Here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:10 AM, on 6/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\francis\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by [censored] happens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O20 - Winlogon Notify: winhmc32 - C:\WINDOWS\SYSTEM32\winhmc32.dll
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

SmitFraudFix v2.56

Scan done at 1:22:14.07, Sat 06/10/2006
Run from C:\Documents and Settings\francis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"

[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\exit Deleted
C:\secure32.html Deleted
C:\uniq Deleted
C:\WINDOWS\azesearch.bmp Deleted
C:\WINDOWS\blue-bg.gif Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\remove-spyware-btn.gif Deleted
C:\WINDOWS\teller2.chk Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win-sec-center-logo.gif Deleted
Problem while deleting C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\bin29a.log Deleted
Problem while deleting C:\WINDOWS\system32\dcomcfg.exe
Problem while deleting C:\WINDOWS\system32\hp???.tmp
Problem while deleting C:\WINDOWS\system32\hp?

.tmp
Problem while deleting C:\WINDOWS\system32\ld?

.tmp
C:\WINDOWS\system32\ot.ico Deleted
Problem while deleting C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\system32\simpole.tlb Deleted
Problem while deleting C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Documents and Settings\francis\Application Data\Install.dat Deleted
C:\DOCUME~1\francis\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\secure32.html Deleted
C:\Program Files\SpywareQuake.com\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\asxbbx.dll -> Hoax.Win32.Renos.gen
C:\WINDOWS\System32\asxbbx.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted

Again, I appreciate the help, hope to hear from you soon.

Thank you,

sincerely,

francis

purepremium2006 · « **Reply #1 on:** June 10, 2006, 03:55:00 AM »

rebooted, the your computer have been infected sign is gone...

but 2 windows keeps popping up

ULWindowSeek
ULWindowUrl

and a warning about activex config prohibiting these from running. At least now task manager is back.

Going through uninstalling suspect programs, there's one calle Web Savings from Ebates that won't uninstall. ERROR: could not execute Main: The system cannot find the file specified. Does that mean its not there anymore?

purepremium2006 · « **Reply #2 on:** June 10, 2006, 04:07:56 AM »

Latest hijcakthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:05:30 AM, on 6/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\francis\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by [censored] happens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O20 - Winlogon Notify: winhmc32 - C:\WINDOWS\SYSTEM32\winhmc32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

and SmitFraudFix

SmitFraudFix v2.56

Scan done at 2:06:51.32, Sat 06/10/2006
Run from C:\Documents and Settings\francis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\francis\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\francis\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

purepremium2006 · « **Reply #3 on:** June 10, 2006, 05:33:02 PM »

I've done some work here are the latest reports, think I got rid of it... but please take a look if you have time so I can know for sure.

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:56:31 PM, 6/10/2006
+ Report-Checksum:      B8D2FE6F

+ Scan result:

   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP674\A0189635.dll -> Adware.PurityScan : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP674\A0189638.dll -> Trojan.Agent.vg : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:32:22 PM, on 6/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Thanks

guestolo · « **Reply #4 on:** June 11, 2006, 08:04:11 AM »

Your log looks good
Just for a double check can you do the following

Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe

Click START SCAN
Let this finish, a log will open so you will know it's done
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

purepremium2006 · « **Reply #5 on:** June 11, 2006, 03:43:17 PM »

guestolo, thanks for the reply.

Here's the log from WinPFind

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

PTech 7/1/2004 2:00:54 AM H 2873716 C:\WINDOWS\msbb_kyf.dat

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/28/2002 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 7/3/2004 7:51:56 PM H 3164631 C:\WINDOWS\SYSTEM32\kyf.dat
PTech 7/12/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 6/9/2006 12:34:46 AM 156672 C:\WINDOWS\SYSTEM32\oins.exe
Umonitor 8/28/2002 2:00:00 PM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 4/27/2006 5:49:00 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:00 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:00 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/28/2002 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/11/2006 1:05:02 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
6/11/2006 1:04:00 PM S 64 C:\WINDOWS\CSC\00000001
6/11/2006 12:45:12 PM S 64 C:\WINDOWS\CSC\00000002
6/7/2006 7:12:18 PM S 64 C:\WINDOWS\CSC\csc1.tmp
4/28/2006 9:29:22 PM HS 848 C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
4/16/2006 1:04:56 AM HS 0 C:\WINDOWS\SYSTEM32\wupdmgr.tmp
6/11/2006 1:04:50 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
6/11/2006 1:05:10 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
6/11/2006 1:05:04 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
6/11/2006 1:06:12 PM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
6/11/2006 1:05:08 PM H 1167360 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2006 1:24:22 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\153d4519-394e-4c7c-8095-25fe2cf4e79a
5/2/2006 12:52:20 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\25859ce9-92ac-45ac-8b06-5d887a65dca2
6/30/2006 1:22:34 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\3781809c-f2bc-4296-ad5e-0799756c3c62
5/2/2006 12:52:20 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
6/11/2006 1:04:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/28/2002 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
11/11/1999 9:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Logitech Inc. 7/28/2005 2:01:56 PM 360448 C:\WINDOWS\SYSTEM32\camcpl.cpl
5/23/2002 8:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
11/19/1999 2:54:12 PM 155648 C:\WINDOWS\SYSTEM32\PPPoEService.cpl
RealNetworks, Inc. 1/13/2003 1:47:04 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Wacom Technology, Corp. 11/25/2002 1:55:00 PM 921600 C:\WINDOWS\SYSTEM32\Tablet.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/29/2006 6:13:00 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
5/5/2006 11:38:46 PM 1782 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
4/29/2006 1:44:20 AM 988 C:\Documents and Settings\francis\Start Menu\Programs\Startup\Adobe Gamma.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\francis\Start Menu\Programs\Startup\DESKTOP.INI
4/3/2004 7:14:02 PM 243200 C:\Documents and Settings\francis\Start Menu\Programs\Startup\PowerReg Scheduler.exe

Checking files in %USERPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\francis\Application Data\DESKTOP.INI
2/7/2003 12:49:28 AM 12358 C:\Documents and Settings\francis\Application Data\PFP100JCM.{PB
2/7/2003 12:49:28 AM 61678 C:\Documents and Settings\francis\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   DVDSentry   C:\WINDOWS\System32\DSentry.exe
   ATIModeChange   Ati2mdxx.exe
   zBrowser Launcher   C:\Program Files\Logitech\iTouch\iTouch.exe
   PCTVOICE   pctspk.exe
   LogitechCameraAssistant   C:\Program Files\Logitech\Video\CameraAssistant.exe
   LogitechVideo[inspector]   C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
   iTunesHelper   "C:\Program Files\iTunes\iTunesHelper.exe"
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   PopUpStopperFreeEdition   "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
   License Management Service ESD   3
   ImapiService   3
   IDriverT   3
   Adobe LM Service   3
   ACS   2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACS.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACS.lnk
   backup   C:\WINDOWS\pss\ACS.lnkCommon Startup
   location   Common Startup
   command   C:\WINDOWS\SYSTEM32\ACS.BAT
   item   ACS
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACS.lnk
   backup   C:\WINDOWS\pss\ACS.lnkCommon Startup
   location   Common Startup
   command   C:\WINDOWS\SYSTEM32\ACS.BAT
   item   ACS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus Xtreme G Configuration Utility.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
   backup   C:\WINDOWS\pss\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\AirPlus.exe
   item   D-Link AirPlus Xtreme G Configuration Utility
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
   backup   C:\WINDOWS\pss\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\AirPlus.exe
   item   D-Link AirPlus Xtreme G Configuration Utility

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk
   backup   C:\WINDOWS\pss\D-Link REG Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\Reg.exe
   item   D-Link REG Utility
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk
   backup   C:\WINDOWS\pss\D-Link REG Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\Reg.exe
   item   D-Link REG Utility

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\0dc14acb.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   0dc14acb
   hkey   HKLM
   command   C:\WINDOWS\System32\0dc14acb.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   0dc14acb
   hkey   HKLM
   command   C:\WINDOWS\System32\0dc14acb.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DirectCD
   hkey   HKLM
   command   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DirectCD
   hkey   HKLM
   command   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Apoint
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Apoint
   hkey   HKLM
   command   C:\Program Files\Apoint\Apoint.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Apoint
   hkey   HKLM
   command   C:\Program Files\Apoint\Apoint.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cf063a0d.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   cf063a0d
   hkey   HKLM
   command   C:\WINDOWS\System32\cf063a0d.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   cf063a0d
   hkey   HKLM
   command   C:\WINDOWS\System32\cf063a0d.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DIGESTW
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DIGESTW
   hkey   HKLM
   command   C:\WINDOWS\System32\DIGESTW.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DIGESTW
   hkey   HKLM
   command   C:\WINDOWS\System32\DIGESTW.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IASCRW
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   IASCRW
   hkey   HKLM
   command   C:\WINDOWS\System32\IASCRW.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   IASCRW
   hkey   HKLM
   command   C:\WINDOWS\System32\IASCRW.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   iTunesHelper
   hkey   HKLM
   command   C:\Program Files\iTunes\iTunesHelper.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   iTunesHelper
   hkey   HKLM
   command   C:\Program Files\iTunes\iTunesHelper.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   dumprep 0 -k
   hkey   HKLM
   command   %systemroot%\system32\dumprep 0 -k
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   dumprep 0 -k
   hkey   HKLM
   command   %systemroot%\system32\dumprep 0 -k
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Logitech Utility
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Logi_MwX
   hkey   HKLM
   command   Logi_MwX.Exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Logi_MwX
   hkey   HKLM
   command   Logi_MwX.Exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechCameraService(E)
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElkCtrl
   hkey   HKLM
   command   C:\WINDOWS\System32\ElkCtrl.exe /automation
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElkCtrl
   hkey   HKLM
   command   C:\WINDOWS\System32\ElkCtrl.exe /automation
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechSoftwareUpdate
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ManifestEngine
   hkey   HKCU
   command   "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ManifestEngine
   hkey   HKCU
   command   "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMSX
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   LVCOMSX
   hkey   HKLM
   command   C:\WINDOWS\System32\LVCOMSX.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   LVCOMSX
   hkey   HKLM
   command   C:\WINDOWS\System32\LVCOMSX.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   mmtask
   hkey   HKLM
   command   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   mmtask
   hkey   HKLM
   command   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   msmsgs
   hkey   HKCU
   command   "C:\Program Files\Messenger\msmsgs.exe" /background
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   msmsgs
   hkey   HKCU
   command   "C:\Program Files\Messenger\msmsgs.exe" /background
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ncao
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   chkdsk
   hkey   HKCU
   command   "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   chkdsk
   hkey   HKCU
   command   "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PRISMSVR.EXE
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PRISMSVR
   hkey   HKLM
   command   "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PRISMSVR
   hkey   HKLM
   command   "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RealPlay
   hkey   HKLM
   command   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RealPlay
   hkey   HKLM
   command   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RegKillElbyCheck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElbyCheck
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElbyCheck
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RegKillTray
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RegKillTray
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RegKillTray
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SCFGWMIT
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SCFGWMIT
   hkey   HKLM
   command   C:\WINDOWS\System32\SCFGWMIT.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SCFGWMIT
   hkey   HKLM
   command   C:\WINDOWS\System32\SCFGWMIT.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   hpgs2wnd
   hkey   HKLM
   command   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   hpgs2wnd
   hkey   HKLM
   command   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMARQUES
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SMARQUES
   hkey   HKLM
   command   C:\WINDOWS\System32\SMARQUES.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SMARQUES
   hkey   HKLM
   command   C:\WINDOWS\System32\SMARQUES.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StorageGuard
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   sgtray
   hkey   HKLM
   command   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   sgtray
   hkey   HKLM
   command   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UDIOSRVA
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   UDIOSRVA
   hkey   HKLM
   command   C:\WINDOWS\System32\UDIOSRVA.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   UDIOSRVA
   hkey   HKLM
   command   C:\WINDOWS\System32\UDIOSRVA.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ViewMgr
   hkey   HKLM
   command   C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ViewMgr
   hkey   HKLM
   command   C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ypager
   hkey   HKCU
   command   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ypager
   hkey   HKCU
   command   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YBrowser
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ybrwicon
   hkey   HKLM
   command   C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ybrwicon
   hkey   HKLM
   command   C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yppin
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NPDB~1
   hkey   HKCU
   command   C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NPDB~1
   hkey   HKCU
   command   C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zwjixxbjwlku
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   xkefyp
   hkey   HKLM
   command   C:\WINDOWS\System32\xkefyp.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   xkefyp
   hkey   HKLM
   command   C:\WINDOWS\System32\xkefyp.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   2
   bootini   2
   services   2
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
   NoBackButton   0
   NoFileMru   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoStartMenuMyMusic   1
   NoSMMyPictures   1
   NoRecentDocsMenu   1
   ClearRecentDocsOnExit   1
   NoRecentDocsHistory   1
   NoTaskGrouping   1
   NoRecentDocsNetHood   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/11/2006 1:15:05 PM

ITS a long one, whew.

Quick question on some c:windows folders.

I have all these folders in blue called something like this

$NtUninstallKB873339$

Are they restore point backups or what? And can I delete them?

HOpe you're having a good sunday.

guestolo · « **Reply #6 on:** June 11, 2006, 07:11:13 PM »

Quote

I have all these folders in blue called something like this
$NtUninstallKB873339$

Those files you don't normally see are related too updates from windows
Leave them alone, they do no harm
You have enabled showing hidden files and folders, that why your seeing them

Can you do the following please
Your controlling entries on startup with msconfig
It is hard analyzing your hijackthis log this way

Can you do the following please

Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.
I'll need to see it later

After the scan is done

Go to START>>RUN>>type in
msconfig
Under the STARTUP tab>>Enable ALL>>Apply
Under the General tab ensure Normal startup is selected
Apply and Close
Reboot the computer at the prompt

Back in Windows
Run a fresh scan and savelogfile with Hijackthis and post the fresh log
Also, post the whole report from Panda's

purepremium2006 · « **Reply #7 on:** June 13, 2006, 02:48:12 AM »

wow activeScan found 17 problems... Can I just delete them from their directories?

Incident Status Location

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\SmitfraudFix\Process.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Adware:adware/vog Not disinfected C:\Program Files\Internet Explorer\winbrume.dat
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:Adware/AzeSearch Not disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Dialer:dialer.avv Not disinfected C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Dialer:dialer.no Not disinfected C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\test.INF
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload2.dat
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biC.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINDOWS\INF\twaintec.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.log
Virus:Trj/Qhost.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20040627-025658.backup
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/mediatickets Not disinfected C:\WINDOWS\SYSTEM32\oins.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe

_________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 AM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zwjixxbjwlku] C:\WINDOWS\System32\xkefyp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UDIOSRVA] C:\WINDOWS\System32\UDIOSRVA.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SMARQUES] C:\WINDOWS\System32\SMARQUES.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SCFGWMIT] C:\WINDOWS\System32\SCFGWMIT.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IASCRW] C:\WINDOWS\System32\IASCRW.exe
O4 - HKLM\..\Run: [DIGESTW] C:\WINDOWS\System32\DIGESTW.exe
O4 - HKLM\..\Run: [cf063a0d.exe] C:\WINDOWS\System32\cf063a0d.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [0dc14acb.exe] C:\WINDOWS\System32\0dc14acb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yppin] C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

guestolo · « **Reply #8 on:** June 13, 2006, 10:25:23 PM »

Sorry for the delay
Can you do the following please

Please download The Avenger.zip by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy all the text contained in the qoute box below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard

Quote

files to delete:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
C:\Documents and Settings\francis\My
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
C:\Program Files\Internet Explorer\winbrume.dat
C:\WINDOWS\alchem.ini
C:\WINDOWS\Downloaded Program Files\azesearch.inf
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
C:\WINDOWS\Downloaded Program Files\test.INF
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\biC.inf
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\INF\polmx2.inf
C:\WINDOWS\INF\twaintec.inf
C:\WINDOWS\msbb.log
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\SYSTEM32\oins.exe
C:\WINDOWS\msbb_kyf.dat
C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\SrchSTS.exe
C:\WINDOWS\System32\cf063a0d.exe
C:\WINDOWS\System32\SCFGWMIT.exe
C:\WINDOWS\System32\DIGESTW.exe
C:\WINDOWS\System32\0dc14acb.exe
C:\WINDOWS\System32\IASCRW.exe
C:\WINDOWS\System32\xkefyp.exe
C:\WINDOWS\System32\UDIOSRVA.exe
C:\WINDOWS\System32\SMARQUES.exe

Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
Back in Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [zwjixxbjwlku] C:\WINDOWS\System32\xkefyp.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UDIOSRVA] C:\WINDOWS\System32\UDIOSRVA.exe
O4 - HKLM\..\Run: [SMARQUES] C:\WINDOWS\System32\SMARQUES.exe
O4 - HKLM\..\Run: [SCFGWMIT] C:\WINDOWS\System32\SCFGWMIT.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IASCRW] C:\WINDOWS\System32\IASCRW.exe
O4 - HKLM\..\Run: [DIGESTW] C:\WINDOWS\System32\DIGESTW.exe
O4 - HKLM\..\Run: [cf063a0d.exe] C:\WINDOWS\System32\cf063a0d.exe
O4 - HKLM\..\Run: [0dc14acb.exe] C:\WINDOWS\System32\0dc14acb.exe
O4 - HKCU\..\Run: [Yppin] C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
O4 - Startup: PowerReg Scheduler.exe

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer one more time
Back in Windows
Your not running any Anti-Virus software, if you don't have your own to install
Immediately install and update one of these free AV's below

ONLY INSTALL ONE, more than one can cause operating system instabilities
AVG 7 by Grisoft

Avast Home Edition by ALWIL

Avira AntiVir Personal Edition Classic
All of the above have a free version, once you have decided which one to install and update
Run a full system scan, let it remove whatever it finds,
Reboot your computer one more time

Back in Windows

1. Post a fresh Hijackthis log
2. Post the whole log created by Avenger>>C:\avenger.txt

purepremium2006 · « **Reply #9 on:** June 14, 2006, 10:24:50 AM »

Thanks for the help, did what you said, the scan took a long time.

There are a bunch of A01#####.exe's in the system restore folders (C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}). Do I need to keep these folders or can I just delete them? I think they all were done when the comp was infected. I should just do a clean restore now.

Here are the logs. Posted 2 avenger logs, first one I think I did in selective startup, forgot to uncheck them again...

Logfile of HijackThis v1.99.1
Scan saved at 8:20:08 AM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

_____________________________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qolnaqau

*******************

Script file located at: \??\C:\Documents and Settings\hwkkxfls.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\francis\Cookies\francis@go[1].txt not found!
Deletion of file C:\Documents and Settings\francis\Cookies\francis@go[1].txt failed!

Could not process line:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Status: 0xc0000034

File C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log not found!
Deletion of file C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log failed!

Could not process line:
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Status: 0xc0000034

File C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe not found!
Deletion of file C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe failed!

Could not process line:
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Status: 0xc0000034

File C:\Documents and Settings\francis\My not found!
Deletion of file C:\Documents and Settings\francis\My failed!

Could not process line:
C:\Documents and Settings\francis\My
Status: 0xc0000034

Could not open file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe for deletion
Deletion of file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe failed!

Could not process line:
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Status: 0xc000003a

File C:\Program Files\Internet Explorer\winbrume.dat not found!
Deletion of file C:\Program Files\Internet Explorer\winbrume.dat failed!

Could not process line:
C:\Program Files\Internet Explorer\winbrume.dat
Status: 0xc0000034

File C:\WINDOWS\alchem.ini not found!
Deletion of file C:\WINDOWS\alchem.ini failed!

Could not process line:
C:\WINDOWS\alchem.ini
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\azesearch.inf not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\azesearch.inf failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\azesearch.inf
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\test.INF not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\test.INF failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\test.INF
Status: 0xc0000034

File C:\WINDOWS\drsmartload2.dat not found!
Deletion of file C:\WINDOWS\drsmartload2.dat failed!

Could not process line:
C:\WINDOWS\drsmartload2.dat
Status: 0xc0000034

File C:\WINDOWS\INF\alchem.inf not found!
Deletion of file C:\WINDOWS\INF\alchem.inf failed!

Could not process line:
C:\WINDOWS\INF\alchem.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biC.inf not found!
Deletion of file C:\WINDOWS\INF\biC.inf failed!

Could not process line:
C:\WINDOWS\INF\biC.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biini.inf not found!
Deletion of file C:\WINDOWS\INF\biini.inf failed!

Could not process line:
C:\WINDOWS\INF\biini.inf
Status: 0xc0000034

File C:\WINDOWS\INF\polmx2.inf not found!
Deletion of file C:\WINDOWS\INF\polmx2.inf failed!

Could not process line:
C:\WINDOWS\INF\polmx2.inf
Status: 0xc0000034

File C:\WINDOWS\INF\twaintec.inf not found!
Deletion of file C:\WINDOWS\INF\twaintec.inf failed!

Could not process line:
C:\WINDOWS\INF\twaintec.inf
Status: 0xc0000034

File C:\WINDOWS\msbb.log not found!
Deletion of file C:\WINDOWS\msbb.log failed!

Could not process line:
C:\WINDOWS\msbb.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho not found!
Deletion of file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\oins.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\oins.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\oins.exe
Status: 0xc0000034

File C:\WINDOWS\msbb_kyf.dat not found!
Deletion of file C:\WINDOWS\msbb_kyf.dat failed!

Could not process line:
C:\WINDOWS\msbb_kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kyf.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\kyf.dat failed!

Could not process line:
C:\WINDOWS\SYSTEM32\kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\SrchSTS.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\SrchSTS.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SrchSTS.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cf063a0d.exe not found!
Deletion of file C:\WINDOWS\System32\cf063a0d.exe failed!

Could not process line:
C:\WINDOWS\System32\cf063a0d.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SCFGWMIT.exe not found!
Deletion of file C:\WINDOWS\System32\SCFGWMIT.exe failed!

Could not process line:
C:\WINDOWS\System32\SCFGWMIT.exe
Status: 0xc0000034

File C:\WINDOWS\System32\DIGESTW.exe not found!
Deletion of file C:\WINDOWS\System32\DIGESTW.exe failed!

Could not process line:
C:\WINDOWS\System32\DIGESTW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\0dc14acb.exe not found!
Deletion of file C:\WINDOWS\System32\0dc14acb.exe failed!

Could not process line:
C:\WINDOWS\System32\0dc14acb.exe
Status: 0xc0000034

File C:\WINDOWS\System32\IASCRW.exe not found!
Deletion of file C:\WINDOWS\System32\IASCRW.exe failed!

Could not process line:
C:\WINDOWS\System32\IASCRW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\xkefyp.exe not found!
Deletion of file C:\WINDOWS\System32\xkefyp.exe failed!

Could not process line:
C:\WINDOWS\System32\xkefyp.exe
Status: 0xc0000034

File C:\WINDOWS\System32\UDIOSRVA.exe not found!
Deletion of file C:\WINDOWS\System32\UDIOSRVA.exe failed!

Could not process line:
C:\WINDOWS\System32\UDIOSRVA.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SMARQUES.exe not found!
Deletion of file C:\WINDOWS\System32\SMARQUES.exe failed!

Could not process line:
C:\WINDOWS\System32\SMARQUES.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

_____________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qolnaqau

*******************

Script file located at: \??\C:\Documents and Settings\hwkkxfls.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\francis\Cookies\francis@go[1].txt not found!
Deletion of file C:\Documents and Settings\francis\Cookies\francis@go[1].txt failed!

Could not process line:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Status: 0xc0000034

File C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log not found!
Deletion of file C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log failed!

Could not process line:
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Status: 0xc0000034

File C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe not found!
Deletion of file C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe failed!

Could not process line:
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Status: 0xc0000034

File C:\Documents and Settings\francis\My not found!
Deletion of file C:\Documents and Settings\francis\My failed!

Could not process line:
C:\Documents and Settings\francis\My
Status: 0xc0000034

Could not open file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe for deletion
Deletion of file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe failed!

Could not process line:
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Status: 0xc000003a

File C:\Program Files\Internet Explorer\winbrume.dat not found!
Deletion of file C:\Program Files\Internet Explorer\winbrume.dat failed!

Could not process line:
C:\Program Files\Internet Explorer\winbrume.dat
Status: 0xc0000034

File C:\WINDOWS\alchem.ini not found!
Deletion of file C:\WINDOWS\alchem.ini failed!

Could not process line:
C:\WINDOWS\alchem.ini
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\azesearch.inf not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\azesearch.inf failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\azesearch.inf
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\test.INF not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\test.INF failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\test.INF
Status: 0xc0000034

File C:\WINDOWS\drsmartload2.dat not found!
Deletion of file C:\WINDOWS\drsmartload2.dat failed!

Could not process line:
C:\WINDOWS\drsmartload2.dat
Status: 0xc0000034

File C:\WINDOWS\INF\alchem.inf not found!
Deletion of file C:\WINDOWS\INF\alchem.inf failed!

Could not process line:
C:\WINDOWS\INF\alchem.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biC.inf not found!
Deletion of file C:\WINDOWS\INF\biC.inf failed!

Could not process line:
C:\WINDOWS\INF\biC.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biini.inf not found!
Deletion of file C:\WINDOWS\INF\biini.inf failed!

Could not process line:
C:\WINDOWS\INF\biini.inf
Status: 0xc0000034

File C:\WINDOWS\INF\polmx2.inf not found!
Deletion of file C:\WINDOWS\INF\polmx2.inf failed!

Could not process line:
C:\WINDOWS\INF\polmx2.inf
Status: 0xc0000034

File C:\WINDOWS\INF\twaintec.inf not found!
Deletion of file C:\WINDOWS\INF\twaintec.inf failed!

Could not process line:
C:\WINDOWS\INF\twaintec.inf
Status: 0xc0000034

File C:\WINDOWS\msbb.log not found!
Deletion of file C:\WINDOWS\msbb.log failed!

Could not process line:
C:\WINDOWS\msbb.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho not found!
Deletion of file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\oins.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\oins.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\oins.exe
Status: 0xc0000034

File C:\WINDOWS\msbb_kyf.dat not found!
Deletion of file C:\WINDOWS\msbb_kyf.dat failed!

Could not process line:
C:\WINDOWS\msbb_kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kyf.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\kyf.dat failed!

Could not process line:
C:\WINDOWS\SYSTEM32\kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\SrchSTS.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\SrchSTS.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SrchSTS.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cf063a0d.exe not found!
Deletion of file C:\WINDOWS\System32\cf063a0d.exe failed!

Could not process line:
C:\WINDOWS\System32\cf063a0d.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SCFGWMIT.exe not found!
Deletion of file C:\WINDOWS\System32\SCFGWMIT.exe failed!

Could not process line:
C:\WINDOWS\System32\SCFGWMIT.exe
Status: 0xc0000034

File C:\WINDOWS\System32\DIGESTW.exe not found!
Deletion of file C:\WINDOWS\System32\DIGESTW.exe failed!

Could not process line:
C:\WINDOWS\System32\DIGESTW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\0dc14acb.exe not found!
Deletion of file C:\WINDOWS\System32\0dc14acb.exe failed!

Could not process line:
C:\WINDOWS\System32\0dc14acb.exe
Status: 0xc0000034

File C:\WINDOWS\System32\IASCRW.exe not found!
Deletion of file C:\WINDOWS\System32\IASCRW.exe failed!

Could not process line:
C:\WINDOWS\System32\IASCRW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\xkefyp.exe not found!
Deletion of file C:\WINDOWS\System32\xkefyp.exe failed!

Could not process line:
C:\WINDOWS\System32\xkefyp.exe
Status: 0xc0000034

File C:\WINDOWS\System32\UDIOSRVA.exe not found!
Deletion of file C:\WINDOWS\System32\UDIOSRVA.exe failed!

Could not process line:
C:\WINDOWS\System32\UDIOSRVA.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SMARQUES.exe not found!
Deletion of file C:\WINDOWS\System32\SMARQUES.exe failed!

Could not process line:
C:\WINDOWS\System32\SMARQUES.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Thanks for the help.

guestolo · « **Reply #10 on:** June 14, 2006, 02:18:46 PM »

chances are most of the files you removed with avenger were done the first time around and now now are found

Quote

Here are the logs. Posted 2 avenger logs, first one I think I did in selective startup, forgot to uncheck them again...

I want to see EVERYTHING in the log
I need you too do the following
Go back to msconfig
REENABLE EVERYTHING ON STARTUP

Reboot the computer afterwards and post back a fresh hijackthis log

Your almost done, but we won't continue until you have done the above
Leave everything enabled until AFTER we are sure you are clean

purepremium2006 · « **Reply #11 on:** June 14, 2006, 09:32:15 PM »

sorry about the goof up, didn't mention that the hijack log is done after I enabled it all, but I did it again. both avenger n hijack, here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 7:30:43 PM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

_____________________________________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bvqmayav

*******************

Script file located at: \??\C:\WINDOWS\gfaplsgn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\francis\Cookies\francis@go[1].txt not found!
Deletion of file C:\Documents and Settings\francis\Cookies\francis@go[1].txt failed!

Could not process line:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Status: 0xc0000034

File C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log not found!
Deletion of file C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log failed!

Could not process line:
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Status: 0xc0000034

File C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe not found!
Deletion of file C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe failed!

Could not process line:
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Status: 0xc0000034

File C:\Documents and Settings\francis\My not found!
Deletion of file C:\Documents and Settings\francis\My failed!

Could not process line:
C:\Documents and Settings\francis\My
Status: 0xc0000034

Could not open file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe for deletion
Deletion of file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe failed!

Could not process line:
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Status: 0xc000003a

File C:\Program Files\Internet Explorer\winbrume.dat not found!
Deletion of file C:\Program Files\Internet Explorer\winbrume.dat failed!

Could not process line:
C:\Program Files\Internet Explorer\winbrume.dat
Status: 0xc0000034

File C:\WINDOWS\alchem.ini not found!
Deletion of file C:\WINDOWS\alchem.ini failed!

Could not process line:
C:\WINDOWS\alchem.ini
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\azesearch.inf not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\azesearch.inf failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\azesearch.inf
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\test.INF not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\test.INF failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\test.INF
Status: 0xc0000034

File C:\WINDOWS\drsmartload2.dat not found!
Deletion of file C:\WINDOWS\drsmartload2.dat failed!

Could not process line:
C:\WINDOWS\drsmartload2.dat
Status: 0xc0000034

File C:\WINDOWS\INF\alchem.inf not found!
Deletion of file C:\WINDOWS\INF\alchem.inf failed!

Could not process line:
C:\WINDOWS\INF\alchem.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biC.inf not found!
Deletion of file C:\WINDOWS\INF\biC.inf failed!

Could not process line:
C:\WINDOWS\INF\biC.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biini.inf not found!
Deletion of file C:\WINDOWS\INF\biini.inf failed!

Could not process line:
C:\WINDOWS\INF\biini.inf
Status: 0xc0000034

File C:\WINDOWS\INF\polmx2.inf not found!
Deletion of file C:\WINDOWS\INF\polmx2.inf failed!

Could not process line:
C:\WINDOWS\INF\polmx2.inf
Status: 0xc0000034

File C:\WINDOWS\INF\twaintec.inf not found!
Deletion of file C:\WINDOWS\INF\twaintec.inf failed!

Could not process line:
C:\WINDOWS\INF\twaintec.inf
Status: 0xc0000034

File C:\WINDOWS\msbb.log not found!
Deletion of file C:\WINDOWS\msbb.log failed!

Could not process line:
C:\WINDOWS\msbb.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho not found!
Deletion of file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\oins.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\oins.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\oins.exe
Status: 0xc0000034

File C:\WINDOWS\msbb_kyf.dat not found!
Deletion of file C:\WINDOWS\msbb_kyf.dat failed!

Could not process line:
C:\WINDOWS\msbb_kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kyf.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\kyf.dat failed!

Could not process line:
C:\WINDOWS\SYSTEM32\kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\SrchSTS.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\SrchSTS.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SrchSTS.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cf063a0d.exe not found!
Deletion of file C:\WINDOWS\System32\cf063a0d.exe failed!

Could not process line:
C:\WINDOWS\System32\cf063a0d.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SCFGWMIT.exe not found!
Deletion of file C:\WINDOWS\System32\SCFGWMIT.exe failed!

Could not process line:
C:\WINDOWS\System32\SCFGWMIT.exe
Status: 0xc0000034

File C:\WINDOWS\System32\DIGESTW.exe not found!
Deletion of file C:\WINDOWS\System32\DIGESTW.exe failed!

Could not process line:
C:\WINDOWS\System32\DIGESTW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\0dc14acb.exe not found!
Deletion of file C:\WINDOWS\System32\0dc14acb.exe failed!

Could not process line:
C:\WINDOWS\System32\0dc14acb.exe
Status: 0xc0000034

File C:\WINDOWS\System32\IASCRW.exe not found!
Deletion of file C:\WINDOWS\System32\IASCRW.exe failed!

Could not process line:
C:\WINDOWS\System32\IASCRW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\xkefyp.exe not found!
Deletion of file C:\WINDOWS\System32\xkefyp.exe failed!

Could not process line:
C:\WINDOWS\System32\xkefyp.exe
Status: 0xc0000034

File C:\WINDOWS\System32\UDIOSRVA.exe not found!
Deletion of file C:\WINDOWS\System32\UDIOSRVA.exe failed!

Could not process line:
C:\WINDOWS\System32\UDIOSRVA.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SMARQUES.exe not found!
Deletion of file C:\WINDOWS\System32\SMARQUES.exe failed!

Could not process line:
C:\WINDOWS\System32\SMARQUES.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

guestolo · « **Reply #12 on:** June 14, 2006, 09:50:28 PM »

Try one more time

Quote

I want to see EVERYTHING in the log
I need you too do the following
Go back to msconfig
REENABLE EVERYTHING ON STARTUP

Reboot the computer afterwards and post back a fresh hijackthis log

Your almost done, but we won't continue until you have done the above
Leave everything enabled until AFTER we are sure you are clean

Geesh, Just enable everything on startup in msconfig and reboot the computer
Leave it enabled till after we have you clean

I don't want to see a new Avenger log, the very first one was the most important!

purepremium2006 · « **Reply #13 on:** June 15, 2006, 02:41:10 AM »

Everything under startup was enabled, Enable all botton was greyed out. BUt I also enabled all System.ini, Win.ini, and Services with this reboot and Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:30 AM, on 6/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

guestolo · « **Reply #14 on:** June 15, 2006, 05:38:29 PM »

That's looking good

Can you reboot into safe mode and run WPFind again
Reboot back to Normal mode and post it's log please

Besides having the extra startup entries, how is everything else running?
Just some final cleanup if everything is OK

purepremium2006 · « **Reply #15 on:** June 16, 2006, 02:05:40 AM »

I haven't really had time to work on my comp at home this week yet, but opened photoshop just now and it seems a bit faster opening files. Its been running smoother that's for sure, less lag when starting/opening stuff.

About those sys restore folders (C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}). Can I delete them?

Here's the log...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/28/2002 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 7/12/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/28/2002 2:00:00 PM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 1/9/2006 10:36:00 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:00 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/28/2002 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
UPX! 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/15/2006 11:51:02 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
6/15/2006 11:49:46 PM S 64 C:\WINDOWS\CSC\00000001
6/11/2006 12:45:12 PM S 64 C:\WINDOWS\CSC\00000002
6/7/2006 7:12:18 PM S 64 C:\WINDOWS\CSC\csc1.tmp
4/28/2006 9:29:22 PM HS 848 C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
6/15/2006 11:50:50 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
6/15/2006 11:51:10 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
6/15/2006 11:51:06 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
6/15/2006 11:52:26 PM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
6/15/2006 11:51:08 PM H 1159168 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2006 1:24:22 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\153d4519-394e-4c7c-8095-25fe2cf4e79a
5/2/2006 12:52:20 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\25859ce9-92ac-45ac-8b06-5d887a65dca2
6/30/2006 1:22:34 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\3781809c-f2bc-4296-ad5e-0799756c3c62
5/2/2006 12:52:20 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
6/15/2006 11:49:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/28/2002 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
11/11/1999 9:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Logitech Inc. 7/28/2005 2:01:56 PM 360448 C:\WINDOWS\SYSTEM32\camcpl.cpl
5/23/2002 8:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
11/19/1999 2:54:12 PM 155648 C:\WINDOWS\SYSTEM32\PPPoEService.cpl
RealNetworks, Inc. 1/13/2003 1:47:04 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Wacom Technology, Corp. 11/25/2002 1:55:00 PM 921600 C:\WINDOWS\SYSTEM32\Tablet.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/11/2006 7:45:30 PM 409 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACS.lnk
1/29/2006 6:13:00 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
1/11/2006 7:45:30 PM 533 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
1/11/2006 7:45:30 PM 513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
5/5/2006 11:38:46 PM 1782 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
4/29/2006 1:44:20 AM 988 C:\Documents and Settings\francis\Start Menu\Programs\Startup\Adobe Gamma.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\francis\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\francis\Application Data\DESKTOP.INI
2/7/2003 12:49:28 AM 12358 C:\Documents and Settings\francis\Application Data\PFP100JCM.{PB
2/7/2003 12:49:28 AM 61678 C:\Documents and Settings\francis\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   DVDSentry   C:\WINDOWS\System32\DSentry.exe
   ATIModeChange   Ati2mdxx.exe
   zBrowser Launcher   C:\Program Files\Logitech\iTouch\iTouch.exe
   PCTVOICE   pctspk.exe
   LogitechCameraAssistant   C:\Program Files\Logitech\Video\CameraAssistant.exe
   iTunesHelper   C:\Program Files\iTunes\iTunesHelper.exe
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   MSConfig   C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
   YBrowser   C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
   StorageGuard   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   Share-to-Web Namespace Daemon   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   RegKillTray   "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
   RegKillElbyCheck   "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
   RealTray   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   PRISMSVR.EXE   "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
   mmtask   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
   LVCOMSX   C:\WINDOWS\System32\LVCOMSX.EXE
   LogitechVideo[inspector]   C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
   LogitechCameraService(E)   C:\WINDOWS\System32\ElkCtrl.exe /automation
   Logitech Utility   Logi_MwX.Exe
   Apoint   C:\Program Files\Apoint\Apoint.exe
   AVG7_CC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   PopUpStopperFreeEdition   "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
   Yahoo! Pager   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background
   LogitechSoftwareUpdate   "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   2
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
   NoBackButton   0
   NoFileMru   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoStartMenuMyMusic   1
   NoSMMyPictures   1
   NoRecentDocsMenu   1
   ClearRecentDocsOnExit   1
   NoRecentDocsHistory   1
   NoTaskGrouping   1
   NoRecentDocsNetHood   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/15/2006 11:59:51 PM

guestolo · « **Reply #16 on:** June 17, 2006, 12:20:04 PM »

Looks good, sorry for the delay
Yes we should clear those system restore points, that's part of are final cleanup

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

If everything is running better

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

If you don't have these next Spyware scanners, I suggest you download both and hold onto them
Download and Install
Ad-Aware SE Personal 1.06

Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Close out after it is updated, as we will need it later
Open Ad-Aware SE 1.06
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process
===================================

Download and Install Spybot 1.4 from
HERE
or HERE
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer if any red entries were selected and fixed

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Make sure your Firewall is enabled and running
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission
The Firewall in Windows SP1 is not enabled by default
it is in SP2, we should address this problem
If you would like a better firewall than the one provided with Windows, let me know and I'll post a link

Update and do scan's with your Anti-Spyware programs on a regular basis
In addition: Open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update

Most Important:
*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure
Make sure you check for updates at least once a month!
you still haven't updated to Service pack 2?
Is there a reason for this?
I would take this oppurtunity to update
Please see this link:
http://www.microsoft.com/windowsxp/sp2/default.mspx
Take note on that page and read the following
[indent]What to know before you download and install[/indent]

Before updating I would run the disk defragmentor on your computer
START>>All Programs>>Accessories>>System Tools>>Disk Defragmenter
If you haven't ran this in awhile, it could take a bit of time to finish, let it run uninterrupted
I find it best ran in safe mode
Then reboot back to Normal mode and visit Windows Updates!
If your on dialup, you may choose to order the free CD
There is a link on that page also

NOTE: You have HP's Share-to-Web installed, it's not a bad thing, but there was a Windows update that caused problems with IE address bar, unable to open some folders, etc...
Not to worry, if you experience any of these problems, post back and we will fix that issue for you
Do Not remove Sp2 because of this!
I think Windows update has already addressed this issue, but that is just precaution

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

purepremium2006 · « **Reply #17 on:** June 19, 2006, 04:27:25 AM »

Got spywareBlaster adaware n spybot all running, system seems very clean now, can you repost the sp2 update link? Its not working. Thanks again for all your help. Very much appreciated. I've always thought if I avoided porn sites and clicking on pop ups my comp would be free of crap. Didn't know that it was so weighed down by crap. Please post the link for the other firewall you speak of, I will read up on it, though I think the xp one is doing an ok job. Funny all this virus crap is really making me considering buying a mac. Hope you had a wonderful wkend and have a good week.

merci beacoup

francis

guestolo · « **Reply #18 on:** June 19, 2006, 06:55:43 AM »

You can find links to other firewalls in my top link in these forums
Located HERE
Only use one software firewall if you decide to install one

The link to SP2 changed a bit, sorry about that
That same link
[color=\"#3333FF\"]http://www.microsoft.com/windowsxp/sp2/default.mspx[/color]
You will find other links directing to
Support and how-tos
Why?
How?
Scan through it all, especially take note of How?>>Get your Computer ready

purepremium2006 · « **Reply #19 on:** June 24, 2006, 01:40:51 AM »

hey guestolo

I'd like to donate a small amount for your help.
I don't trust paypal anymore, they keep sending me spam and I've put my account on hold.
Give me an address and I'd like to send it to you.

Thanks again for all the help.

News:

Author Topic: need help with win32.p2p worm alcan.a (Read 1574 times)