Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer Restarts when Trying to Scan


  • This topic is locked This topic is locked

#1
Mortain

Mortain

    New Member

  • Member
  • Pip
  • 8 posts
I've run scans with multiple kinds of programs. Virus scanners, Stingers, Spyware and Adaware removers. Nothing is helping. My latest attempt with RegCure was again, a failure. Defrags, scandisks aren't helping. I've updated all of my drivers, there are no conflicts that I know of, and updated my service pack and security from Microsoft.

When certain programs seem to try to scan a certain set of files or a directory, my computer restarts. No error messages, no warnings. Nothing. I've had tech guy after tech guy look at this, and they are as baffled as I am. The last thing I want to do is reformat. Help?


Logfile of HijackThis v1.99.1
Scan saved at 8:37:38 AM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Furcadia2\Mreow Proxy\mreowproxy_486.exe
C:\Program Files\Furcadia2\furcadia.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
G:\000 New Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.c...mpaign=wdz0605a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.furmagic....rissa/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: (no name) - {03973B60-588F-D9EA-3CB9-031F346EAF8A} - C:\WINDOWS\system32\aysxckc.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\lgigfevp.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Suberbest
O17 - HKLM\Software\..\Telephony: DomainName = Suberbest
O17 - HKLM\System\CCS\Services\Tcpip\..\{83697EB4-27BC-476F-A010-8B3289D0F589}: Domain = superbeast
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Suberbest
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Suberbest
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

============================================
Uninstall Log

Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Photoshop CS
Adobe Photoshop Elements
AIM 6.0
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AVI-GIF 2.1
Bulent's Screen Recorder 3
CleanUp!
dBpowerAMP AAC to Mp4 Codec
dBpowerAMP Arrange Music
dBpowerAMP Au Codec
dBpowerAMP Channel Split
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
dBpowerAMP Ogg Vorbis Codec
dBPowerAMP Real Audio Encoder R3
dBpowerAMP Rename Extension
dBpowerAMP Tag From Filename
dBpowerAMP TTA Codec
dBpowerAMP Update ID Tag
dBpowerAMP WMA V8 Codec
dBpowerAMP WMA V9.1 Codec
DC Character Builder V3.3
DivX Web Player
FTP Voyager 10.0
FurBot
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
HP Precisionscan Pro 3.1
hp psc 1200 series
ICQ 5
Intel Application Accelerator
Intel® Extreme Graphics Driver
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_04
Last.fm Player 1.1.2
LimeWire 4.10.9
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Flash MX
Macromedia FreeHand 10
Macromedia Shockwave Player
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office FrontPage 2003
Microsoft Office Professional
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
Microsoft Works 7.0
Morrowind
Mozilla Firefox (0.8.)
Mozilla Firefox (1.5.0.8)
MSN
MSN Messenger 7.5
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MUSICMATCH® Jukebox
Nero - Burning Rom
Ogg Vorbis aoTuV b4
Ogg Vorbis aoTuV b4 SSE2
OIN
Personal License Update Wizard for Windows Media Player
Pirate Poppers
Puma's Claw
QTam Bitmap to Icon 3.5
QuickTime
QuickTime Alternative 1.67
RealOne Player
Realtek AC'97 Audio
RecordPad Sound Recorder Uninstall
RegCure 1.0.0.43
SecondLife (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Semagic (remove only)
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Spybot - Search & Destroy 1.4
StyleXP (remove only)
TES Construction Set
Themexp.org File
Viewpoint Media Player
VSAdd-in for Internet Explorer
WavePad Uninstall
Wheel of Time
WinAlarm 1.1.0
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Live OneCare safety scanner
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
WinRAR archiver
WinZip
Yahoo! Messenger
YOUNTEL-UMS Driver Install 1.0
ZoneAlarm
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Mortain please bear with me while I analyse your log
  • 0

#3
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks. I appriciate the quick response.
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Mortain there are a couple of files that I would like checked out first please

Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\aysxckc.dll
  • Then browse for this one: C:\WINDOWS\system32\lgigfevp.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Will be back in a bit with a fix
  • 0

#5
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Uploaded.
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Mortain and thanks for uploading the files :whistling: , before we start could you please copy and paste this post to a text file for reference as at times you will be off line..

To start

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - <default> - (no file)

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {03973B60-588F-D9EA-3CB9-031F346EAF8A} - C:\WINDOWS\system32\aysxckc.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\lgigfevp.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)

O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

OIN
VSAdd-in for Internet Explorer


Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

OIN

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\aysxckc.dll
C:\WINDOWS\system32\lgigfevp.dll
wingdm32.dll This may well be in system 32 use windows search to find


After that, Reboot.

NEXT

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
THEN

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

ALMOST THERE


[*]Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
[*]Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
[*]Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
[*]AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
[*]If you have any infections you will prompted, then select "Apply all actions"
[*]Next select the "Reports" icon at the top.
[*]Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
[*]Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
[/list]AND FINALLY

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.


Reports required are Winpfind, Vundo.txt, AVG scan report and a new HJT log
  • 0

#7
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok, Scanned. I found VSAdd-in for Internet Explorer and it could not be deleted in safe mode with add/remove software tool.

Here are my logs.

WinPFind Logs

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 12/8/2006 6:00:08 PM
WinPFind v1.5.0 Folder = C:\Documents and Settings\Super Beast\Desktop\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 11/14/2006 11:02:16 AM 85801 C:\gvbmw.exe ()
UPX! 5/20/2004 1:29:34 AM HS 259047424 C:\hiberfil.sys ()
PECompact2 5/6/2005 11:09:12 PM 1011032 C:\WebCleaner.dll (Microsoft Corporation)
aspack 5/6/2005 11:09:12 PM 1011032 C:\WebCleaner.dll (Microsoft Corporation)

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 1/15/2001 3:07:00 AM 311824 C:\WINDOWS\eFaxview.exe (eFax.com)
PECompact2 8/28/2005 12:59:08 PM 15697905 C:\WINDOWS\lpt$vpn.805 ()
qoologic 8/28/2005 12:59:08 PM 15697905 C:\WINDOWS\lpt$vpn.805 ()
SAHAgent 8/28/2005 12:59:08 PM 15697905 C:\WINDOWS\lpt$vpn.805 ()
UPX! 1/10/2005 3:17:24 PM 170053 C:\WINDOWS\tsc.exe (Trend Micro Inc.)
FSG! 11/14/2006 11:02:16 AM 9353 C:\WINDOWS\userinit.exe ()
PECompact2 8/28/2005 12:59:08 PM 15697905 C:\WINDOWS\VPTNFILE.805 ()
qoologic 8/28/2005 12:59:08 PM 15697905 C:\WINDOWS\VPTNFILE.805 ()
SAHAgent 8/28/2005 12:59:08 PM 15697905 C:\WINDOWS\VPTNFILE.805 ()
UPX! 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
aspack 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)

Checking %System% folder...
WSUD 9/20/2004 2:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
PEC2 8/23/2001 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
Umonitor 5/13/2001 9:13:44 PM 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll (Hewlett-Packard Company)
PTech 6/19/2006 3:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2 11/15/2006 9:20:40 PM 10474920 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 11/15/2006 9:20:40 PM 10474920 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/3/2004 11:56:54 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
qoologic 4/22/2005 12:03:28 PM 10490604 C:\WINDOWS\SYSTEM32\pav.sig ()
aspack 4/22/2005 12:03:28 PM 10490604 C:\WINDOWS\SYSTEM32\pav.sig ()
SAHAgent 4/22/2005 12:03:28 PM 10490604 C:\WINDOWS\SYSTEM32\pav.sig ()
winsync 4/22/2005 12:03:28 PM 10490604 C:\WINDOWS\SYSTEM32\pav.sig ()
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 12/19/2004 10:00:00 PM 111104 C:\WINDOWS\SYSTEM32\uharc.exe ()
UPX! 11/14/2006 11:12:46 AM 110612 C:\WINDOWS\SYSTEM32\vpaebdue.exe ()
winsync 8/23/2001 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 6/19/2006 3:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/8/2006 5:57:56 PM S 2048 C:\WINDOWS\bootstat.dat ()
12/7/2006 8:55:28 PM H 54156 C:\WINDOWS\QTFont.qfn ()
10/13/2006 9:24:08 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
10/13/2006 9:24:14 AM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index23.dat ()
11/14/2006 11:12:28 AM HS 762337 C:\WINDOWS\system32\abadd.bak1 ()
11/14/2006 3:50:54 PM HS 776141 C:\WINDOWS\system32\abadd.ini ()
10/10/2006 10:28:32 PM S 9200 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914440.cat ()
10/16/2006 7:35:46 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920213.cat ()
10/13/2006 4:55:52 AM S 10965 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923980.cat ()
10/13/2006 5:33:10 AM S 10259 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB924270.cat ()
12/8/2006 5:57:48 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
12/8/2006 5:59:00 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
12/8/2006 5:57:58 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG ()
12/8/2006 5:59:02 PM H 73728 C:\WINDOWS\system32\config\software.LOG ()
12/8/2006 5:58:06 PM H 1159168 C:\WINDOWS\system32\config\system.LOG ()
11/19/2006 9:08:50 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
10/13/2006 9:10:12 AM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD ()
10/13/2006 9:10:12 AM S 146 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD ()
12/8/2006 5:56:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
5/25/2004 6:06:58 AM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl ()
8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
9/20/2004 2:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
3/19/1996 11:00:00 PM 19456 C:\WINDOWS\SYSTEM32\FINDFAST.CPL ()
8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
6/21/2005 3:46:18 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl (Intel Corporation)
8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
10/12/2006 3:10:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
1/10/2005 11:10:42 AM 1425408 C:\WINDOWS\SYSTEM32\PenTablet.cpl (Wacom Technology, Corp.)
8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/23/2001 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
12/11/2003 7:40:30 PM 14193152 C:\WINDOWS\SYSTEM32\ReinstallBackups\0012\DriverFiles\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/20/2004 2:53:06 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0017\DriverFiles\igfxcpl.cpl (Intel Corporation)

Checking for Downloaded Program Files...
{00B71CFB-6864-4346-A978-C0A14556272C} - Checkers Class - CodeBase = http://messenger.zon...kr.cab31267.cab
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft....467&clcid=0x409
{1EF9F042-C2EB-4293-8213-474CAEEF531D} - TmHcmsX Control - CodeBase = http://www.trendsecu...vex/TmHcmsX.CAB
{33564D57-9980-0010-8000-00AA00389B71} - - CodeBase = http://codecs.micros...386/wmv9dmo.cab
{5ED80217-570B-4DA9-BF44-BE107C0EC166} - Windows Live Safety Center Base Module - CodeBase = http://cdn.scan.safe...lscbase8460.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupd...8127.2813541667
{B9191F79-5613-4C76-AA2A-398534BB8999} - - CodeBase = http://us.dl1.yimg.c...utocomplete.cab
{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - Java Plug-in 1.5.0_02 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macr...ash/swflash.cab
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - Solitaire Showdown Class - CodeBase = http://messenger.zon...wn.cab31267.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/20/2004 3:02:00 AM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/19/2004 7:43:52 PM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini ()
2/27/2006 5:39:14 AM 742 C:\Documents and Settings\All Users.WINDOWS\Application Data\hpzinstall.log ()

Checking files in %USERPROFILE%\Startup folder...
5/20/2004 3:02:00 AM HS 84 C:\Documents and Settings\Super Beast\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
5/19/2004 7:43:52 PM HS 62 C:\Documents and Settings\Super Beast\Application Data\desktop.ini ()
6/27/2006 7:24:32 AM 40802 C:\Documents and Settings\Super Beast\Application Data\temp29678.txt ()
8/22/2006 5:00:24 AM 1024 C:\Documents and Settings\Super Beast\Application Data\WavCodec.wff ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Bar - http://www.microsoft...amp;ar=iesearch
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://wajas.com/
\\Search Bar - http://www.accoona.c...mpaign=wdz0605a
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{6754A456-BAD9-11D4-93D3-00B0D03A2F91} - IEHelperObj Class = ()
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{74DD705D-6834-439C-A735-A6DBE2677452} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = Sun Java Console
\\NEXTID - 8203
\\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - 8193 =
\\{6224f700-cba3-4071-b251-47cb894244cd} - 8194 =
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8195 =
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8196 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8197 = Windows Messenger
\\{A75C6120-9B36-11d4-A3F0-009027427750} - 8198 =
\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 8199 = Yahoo! Messenger
\\{B863453A-26C3-4e1f-A54D-A2CD196348E9} - 8200 = ICQ Lite
\\{d9288080-1baa-4bc4-9cf8-a92d743db949} - 8201 =
\\{e2e2dd38-d088-4134-82b7-f2ba38496583} - 8202 = @xpsp3res.dll,-20001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\AIM\aim.exe (America Online, Inc.)
\{B863453A-26C3-4e1f-A54D-A2CD196348E9} - ButtonText: ICQ Lite = C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - MenuText: = ()
\{d9288080-1baa-4bc4-9cf8-a92d743db949} - ButtonText: Run IMVU =
\{e2e2dd38-d088-4134-82b7-f2ba38496583} - MenuText: @xpsp3res.dll,-20001 = ()
\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{955B7B84-5308-419c-8ED8-0B9CA3C56985} - America Online = C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll (America Online, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{32020A01-506E-484D-A2A8-BE3CF17601C3} - AlcoholShellEx = ()
\\{336B02CE-F88A-4aea-8731-79EF94D3723A} - Free AOL & Unlimited Internet.lnk = C:\WINDOWS\aod\aodshext.dll ()
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = ()
\\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ()
\\{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll ()
\\{73B24247-042E-4EF5-ADC2-42F62E6FD654} - ICQ Lite Shell Extension = C:\Program Files\ICQLite\ICQLiteShell.dll ()
\\{B8323370-FF27-11D2-97B6-204C4F4F5020} - SmartFTP Shell Extension DLL = C:\Program Files\SmartFTP Client 2.0\smarthook.dll (SmartFTP)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\ICQLiteMenu - {73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll ()
\VirusScan - {cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll (Network Associates, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\ICQLiteMenu - {73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll ()
\VirusScan - {cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll (Network Associates, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\VirusScan - {cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll (Network Associates, Inc.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Column Handler = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll ()

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
ShStatEXE - C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE (Network Associates, Inc.)
McAfeeUpdaterUI - C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe (Sun Microsystems, Inc.)
Network Associates Error Reporting Service - C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe (Network Associates, Inc.)
!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
Aim6 - C:\Program Files\AIM6\aim6.exe (AOL LLC)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Super Beast\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
MDM 2
WZCSVC 3
W32Time 2
UPS 3
tmproxy 2
TmPfw 2
Tmntsrv 2
PcCtlCom 2
mnmsrvc 3
iPodService 3
WinToolsSvc 2
ose 3
SCardSvr 3
WmdmPmSN 3
Avg7UpdSvc 2
Avg7Alrt 2
WUSB54Gv4SVC 2
WANMiniportService 2
Pml Driver HPZ12 3
Ltntenk2 3
Adobe LM Service 3
StyleXPService 2
FastUserSwitchingCompatibility 3


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Acrobat Assistant.lnk
backup C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe
item Acrobat Assistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
item America Online 9.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlackICE PC Protection.lnk
backup C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup
location Common Startup
item BlackICE PC Protection

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^eFax.com Tray Menu.lnk
backup C:\WINDOWS\pss\eFax.com Tray Menu.lnkCommon Startup
location Common Startup
item eFax.com Tray Menu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Live Menu.lnk
backup C:\WINDOWS\pss\Live Menu.lnkCommon Startup
location Common Startup
item Live Menu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office Fast Start.lnk
backup C:\WINDOWS\pss\Microsoft Office Fast Start.lnkCommon Startup
location Common Startup
command C:\MSOffice\Office\FASTBOOT.EXE
item Microsoft Office Fast Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office Find Fast Indexer.lnk
backup C:\WINDOWS\pss\Microsoft Office Find Fast Indexer.lnkCommon Startup
location Common Startup
command C:\MSOffice\Office\FINDFAST.EXE /noui
item Microsoft Office Find Fast Indexer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk
backup C:\WINDOWS\pss\Microsoft Office Shortcut Bar.lnkCommon Startup
location Common Startup
command C:\MSOffice\Office\MSOFFICE.EXE
item Microsoft Office Shortcut Bar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Otaku Mascot.lnk
backup C:\WINDOWS\pss\Otaku Mascot.lnkCommon Startup
location Common Startup
item Otaku Mascot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TabUserW.exe.lnk
backup C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup
location Common Startup
command C:\WINDOWS\system32\WTablet\TabUserW.exe
item TabUserW.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Super Beast^Start Menu^Programs^Startup^Corel Print Office Registration.lnk
backup C:\WINDOWS\pss\Corel Print Office Registration.lnkStartup
location Startup
item Corel Print Office Registration

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Super Beast^Start Menu^Programs^Startup^IMVU.lnk
backup C:\WINDOWS\pss\IMVU.lnkStartup
location Startup
item IMVU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Super Beast^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk
backup C:\WINDOWS\pss\reminder-ScanSoft Product Registration.lnkStartup
location Startup
item reminder-ScanSoft Product Registration

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Super Beast^Start Menu^Programs^Startup^VirtuaGirl.lnk
backup C:\WINDOWS\pss\VirtuaGirl.lnkStartup
location Startup
item VirtuaGirl

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Super Beast^Start Menu^Programs^Startup^VirtuaGirl2.lnk
backup C:\WINDOWS\pss\VirtuaGirl2.lnkStartup
location Startup
item VirtuaGirl2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aim6
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim6
hkey HKCU
command "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AlcxMonitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ALCXMNTR
hkey HKLM
command ALCXMNTR.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Archive
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item archive
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTDrive
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item drvgib
hkey HKLM
command rundll32.exe C:\WINDOWS\system32\drvgib.dll,startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dhovmcn.dll
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dhovmcn
hkey HKLM
command C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dhovmcn.dll,pkreivb
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Felix II
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Felix2
hkey HKCU
command C:\Program Files\ScreenMates\Felix II\Felix2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gcasServ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item googletalk
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\system32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ICQ Lite
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command C:\Program Files\ICQLite\ICQLite.exe -minimize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\system32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\InCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechSoftwareUpdate
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ManifestEngine
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechVideoRepair
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISStart
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechVideoTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LogiTray
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LTMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LTMSG
hkey HKLM
command LTMSG.exe 7
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMSX
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LVCOMSX
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Access
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaAccK
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mirabilis ICQ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQNet
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~1
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PaperPort PTD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pptd40nt
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pccguide.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pccguide
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PPWebCap
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PPWebCap
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealPlayer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realplay
hkey HKCU
command "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpgs2wnd
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Skype
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TeaTimer
hkey HKCU
command C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSnD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SpybotSD
hkey HKLM
command "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\STYLEXP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item StyleXP
hkey HKCU
command C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TBPS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TBPS
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Uninstall_WinTools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WTuninst
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UserFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -u
hkey HKLM
command %systemroot%\system32\dumprep 0 -u
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\userinit.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item userinit
hkey HKCU
command C:\WINDOWS\userinit.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\wcmdmgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wcmdmgrl
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinAlarm
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WinAlarm
hkey HKLM
command C:\Program Files\WinAlarm\WinAlarm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Program Files\Winamp\winampa.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinTools
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WToolsA
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WUSB54Gv4
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InvokeSvc3
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item YahooMessenger
hkey HKCU
command "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Zone Labs Client
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zlclient
hkey HKLM
command "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = ()
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
\\UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\igfxcui - igfxsrvc.dll = (Intel Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{5C486ECD-DE0E-4013-9438-5D8720937513} - (Realtek RTL8139 Family PCI Fast Ethernet NIC)
{83697EB4-27BC-476F-A010-8B3289D0F589} - (Realtek RTL8139 Family PCI Fast Ethernet NIC)
{99FD13CB-973F-43AC-80B4-F0D2A2A21403} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\Pac
  • 0

#8
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000023\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000024\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000025\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000026\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000027\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000028\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000029\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000030\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»



Vundo Log not available (it found nothing)




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:00:03 PM 12/8/2006

+ Scan result:



HKU\S-1-5-21-1275210071-448539723-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0198467.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1\A0000045.DLL -> Adware.MyWaySpeed : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197784.exe -> Adware.NewDotNet : No action taken.
C:\Program Files\Common Files\{541B46AD-0A83-1033-0716-030224200001}\system.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197781.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP681\A0189503.dll -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP681\A0189504.exe -> Downloader.Zlob.axi : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197779.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : No action taken.
G:\dBpowerAMP v.11+ Codecs Crack.zip/dBpowerAMP Music Converter v.11+ (Full Codecs-Powerpack & Crack)/PROGRAMA - PowerPack + Cracks/PowerPacks + Cracks + Utilidades/Crack 1 PowerPack de dbpoweramp Music converter v.9/Powerpack_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Ad-logics : No action taken.
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.83:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.84:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.85:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.11:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.12:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.161:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Gator : No action taken.
:mozilla.102:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.103:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.51:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.52:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.53:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : No action taken.
:mozilla.54:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : No action taken.
:mozilla.55:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : No action taken.
:mozilla.56:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : No action taken.
:mozilla.62:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.146:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.64:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.65:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.66:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.67:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.72:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.86:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.87:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Super Beast\Desktop\backups\backup-20061208-115936-306.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP687\A0199953.dll -> Trojan.BHO.g : No action taken.
C:\WINDOWS\userinit.exe -> Trojan.Pakes : No action taken.
C:\gvbmw.exe -> Trojan.Pakes : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197777.dll -> Trojan.Sinowal.bh : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197778.dll -> Trojan.Sinowal.bh : No action taken.
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197786.exe -> Trojan.Small : No action taken.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 11:55:59 AM, on 12/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Super Beast\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.c...mpaign=wdz0605a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wajas.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: (no name) - {03973B60-588F-D9EA-3CB9-031F346EAF8A} - C:\WINDOWS\system32\aysxckc.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\lgigfevp.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Suberbest
O17 - HKLM\Software\..\Telephony: DomainName = Suberbest
O17 - HKLM\System\CCS\Services\Tcpip\..\{83697EB4-27BC-476F-A010-8B3289D0F589}: Domain = superbeast
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Suberbest
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Suberbest
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Mortain there are still some problems which I will try to get rid of this time, again copy and paste this post to a text file for reference.

First can you please upload this file to Jotti C:\WINDOWS\system32\dhovmcn.dll and post the returned data in your next post.

Now to continue

The first priority is to get AVG set up properly :

Start AVG Anti-spy then

Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Then close AVG


The above two steps are important

Having done that

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.c...mpaign=wdz0605a
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wajas.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: (no name) - {03973B60-588F-D9EA-3CB9-031F346EAF8A} - C:\WINDOWS\system32\aysxckc.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\lgigfevp.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Next

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\gvbmw.exe
    C:\WINDOWS\system32\abadd.bak1
    C:\WINDOWS\system32\abadd.ini
    C:\WINDOWS\system32\drvgib.dll
    C:\WINDOWS\system32\aysxckc.dll
    C:\WINDOWS\system32\lgigfevp.dll
    C:\WINDOWS\system32\wingdm32.dll
    C:\Program Files\Common Files\{541B46AD-0A83-1033-0716-030224200001}
    C:\PROGRAM FILES\NEWDOTNET

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Then please download Rogue Remover and run this will generate a report.

Now re-run ATF

Followed by AVG again

Finally carry out the following

Go Start > Run and type in msconfig then enter
Select the start up tab
Place a check mark in all items
Select apply
DO NOT REBOOT


Now generate a new HJT report

Then post the following reports JOTTI, AVG, Rogue Remover and a new HJT
  • 0

#10
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Uploaded dhovmcn.dll
  • 0

#11
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
AVG was set up properly upon following your instructions.

Could not find
O2 - BHO: (no name) - {03973B60-588F-D9EA-3CB9-031F346EAF8A} - C:\WINDOWS\system32\aysxckc.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} -
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

When scanning with AVG i found the two following High Risk

files.

Trojan.Pakes
Trojan.BHO.g
Downloader.Zlob.Axi
Trojan.Sinwal.bh
Trojan.small

About 47% into the process, Computer restarted. *slaps it*

Anyhow restarted, finished scan, and fixed problems with AVG, quarentined what needed to be, and everything else as requested. Here are the logs.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:34:06 PM 12/13/2006

+ Scan result:



HKU\S-1-5-21-1275210071-448539723-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0198467.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1\A0000045.DLL -> Adware.MyWaySpeed : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197784.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{541B46AD-0A83-1033-0716-030224200001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197781.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP681\A0189503.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP681\A0189504.exe -> Downloader.Zlob.axi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197779.dll -> Not-A-Virus.Hoax.Win32.Renos.fw : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Ad-logics : Cleaned.
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.83:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.84:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.85:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Super Beast\Cookies\super [email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.11:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.12:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Super Beast\Cookies\super [email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.161:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Gator : Cleaned.
:mozilla.102:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.103:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.51:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.52:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.53:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : Cleaned.
:mozilla.54:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : Cleaned.
:mozilla.55:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : Cleaned.
:mozilla.56:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Oxcash : Cleaned.
:mozilla.62:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.146:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.64:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.65:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.66:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.67:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\9o0sfy0r.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.72:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.14:C:\Documents and Settings\Super Beast\Application Data\Mozilla\Firefox\Profiles\default.gq7\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.86:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.87:C:\Documents and Settings\Super Beast\Application Data\Phoenix\Profiles\default\lc87w5ab.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Super Beast\Desktop\backups\backup-20061208-115936-306.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP687\A0199953.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
C:\!KillBox\gvbmw.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP691\A0202008.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\userinit.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197777.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197778.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{75414C1F-F3B2-4246-9611-8361071C9FE4}\RP685\A0197786.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


RogueRemover v1.03
Malwarebytes ©2006/©2007 http://www.malwarebytes.org
1480 total fingerprints loaded.

Loading database ...
Expanding environmental variables ...
Ready, beginning scan ...

Scanning files ... [ 100% ].
Scanning folders ... [ 100% ].
Scanning registry keys ... [ 100% ].
Scanning registry values ... [ 100% ].

RogueRemover has detected rogue antispyware components! Results below...

Type: Folder
Vendor: Ultimate Cleaner
Location: C:\Program Files\Ultimate Cleaner

Rogue Remover has finished removing the above objects.




Logfile of HijackThis v1.99.1[color=#FF6666]
Scan saved at 12:38:35 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Furcadia2\Mreow Proxy\mreowproxy_486.exe
C:\Program Files\Furcadia2\furcadia.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Super Beast\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinAlarm] C:\Program Files\WinAlarm\WinAlarm.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dhovmcn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dhovmcn.dll,pkreivb
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgib.dll,startup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [userinit.exe] C:\WINDOWS\userinit.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Felix II] C:\Program Files\ScreenMates\Felix II\Felix2.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...lscbase8460.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Suberbest
O17 - HKLM\Software\..\Telephony: DomainName = Suberbest
O17 - HKLM\System\CCS\Services\Tcpip\..\{83697EB4-27BC-476F-A010-8B3289D0F589}: Domain = superbeast
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Suberbest
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Suberbest
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Welcome back Mortain a few more things still to do though: Again please copy and paste this post to a text file for reference. Some of the problems AVG found were in your system restore, we will clean that at the end..

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Next, Download LSPFix.exe and Winsockfix
to a convenient location. Do NOT run these programs. They are only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. Then run Winsockfix

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [userinit.exe] C:\WINDOWS\userinit.exe
O4 - HKLM\..\Run: [dhovmcn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dhovmcn.dll,pkreivb
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgib.dll,startup

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\PROGRAM FILES\NEWDOTNET
    C:\WINDOWS\userinit.exe
    C:\WINDOWS\system32\dhovmcn.dll
    C:\WINDOWS\system32\drvgib.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Now set MSConfig to normal startup

Go to start - run.
Type in msconfig and enter
Go to the startup Tab
and place a check next to all items
Click Apply
And reboot



Follow this up with another ATF run
And finally a new HJT log Keep smiling :whistling:
  • 0

#13
Mortain

Mortain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for the reply, I'll get on it as soon as my computer is done being picked over for whatever is making it restart every 30 seconds. *head desk* I've had a few cryitical system errors and I know I'm now missing Winmanagement.exe file whatever it's called in system32 folder and a ton of others that the virus whiped out. so now it's really being a butt. I'm about ready to put my foot through the side of it and go buy a new one. Ugh.
  • 0

#14
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP