Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Computer is freezing

Started by pcnoob , Dec 19 2006 09:20 AM

This topic is locked

#1
pcnoob

Posted 19 December 2006 - 09:20 AM

Member

Member
120 posts

Hi my computer is freezing up for about 5 sec about once an hour. wondering if its a virus.

Logfile of HijackThis v1.99.1
Scan saved at 8:19:00 AM, on 12/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\home pc\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

#2
JSntgRvr

Posted 14 January 2007 - 03:14 PM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

Welcome to Geeks to go and sorry for the delay.

Your log does not showany evident malware. Lets take a deeper look:

Download ComboFix from Here or Here. to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
pcnoob

Posted 14 January 2007 - 06:20 PM

Member

Topic Starter
Member
120 posts

hi Thank you for your fast reply. I will post both logs you requested along with hte panda log that said i had 33 virises.

hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 5:18:41 PM, on 1/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msncall.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\home pc\Desktop\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

combo fix in attatchment

panda scan

Incident Status Location

Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.statcounter.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.atdmt.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.apmebf.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[statse.webtrendslive.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.trafficmp.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.overture.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.c5.zedo.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.zedo.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.247realmedia.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.burstnet.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.mediaplex.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[www.burstbeacon.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.questionmarket.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.advertising.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[server.iad.liveperson.net/hc/57211298]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[server.iad.liveperson.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\home pc\Application Data\Mozilla\Firefox\Profiles\lmvsuypq.default\cookiesnew.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\home pc\Cookies\home pc@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\home pc\Cookies\home pc@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\home pc\Cookies\home [email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\home pc\Cookies\home pc@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\home pc\Cookies\home pc@mediaplex[1].txt
Adware:Adware/Zango Not disinfected C:\Documents and Settings\home pc\Local Settings\Temp\180128.tmp
Adware:Adware/Zango Not disinfected C:\Documents and Settings\home pc\Local Settings\Temp\18012A.tmp
Adware:Adware/Zango Not disinfected C:\Documents and Settings\home pc\Local Settings\Temp\18012B.tmp
Adware:Adware/Zango Not disinfected C:\Documents and Settings\home pc\Local Settings\Temp\18012C.tmp
Adware:Adware/Zango Not disinfected C:\npclntax.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Attached Files

ComboFix.txt 2.8KB 196 downloads

Edited by pcnoob, 14 January 2007 - 06:26 PM.

#4
JSntgRvr

Posted 14 January 2007 - 07:56 PM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

Please do not attach the reports on your reply as it will be difficult to read. In order to attach a report to a reply, you must first save the report in a particular folder, then compress the folder (Right click on the folder and select Send to ->Compressed Folder), and it is the compressed folder the one that can be attached to a reply. Otherwise the document will lose its format.

Run Combofix again and post its report (Copy and paste its contents on the main reply window).

Thanks.

#5
pcnoob

Posted 14 January 2007 - 08:09 PM

Member

Topic Starter
Member
120 posts

"home pc" - 07-01-14 19:06:28 Service Pack 1
ComboFix 07-01-15 - Running from: "C:\Documents and Settings\home pc\Desktop"

ERROR !!! /wow section not completed

((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))

2007-01-13 14:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-13 13:24 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-12 07:41 <DIR> d-------- C:\Program Files\MSN Messenger
2007-01-11 15:21 <DIR> d-------- C:\Program Files\uTorrent
2007-01-11 15:21 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\Application Data\uTorrent
2007-01-03 15:27 <DIR> d-------- C:\Program Files\Skype
2007-01-03 15:27 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\Application Data\Skype
2007-01-03 15:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Skype
2006-12-19 18:42 <DIR> d-------- C:\WINDOWS\SxsCaPendDel

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-14 19:02 -------- d-------- C:\Program Files\mozilla firefox
2007-01-11 10:08 -------- d-------- C:\Program Files\apple software update
2007-01-03 10:21 -------- d-------- C:\Program Files\google
2006-12-22 18:23 -------- d-------- C:\Program Files\soldier of fortune ii - double helix
2006-12-16 19:30 -------- d-------- C:\Program Files\trend micro
2006-11-16 19:39 -------- d-------- C:\Program Files\real

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-14 19:06:53
C:\ComboFix2.txt ... 07-01-14 19:01
C:\ComboFix3.txt ... 07-01-14 17:22

#6
JSntgRvr

Posted 14 January 2007 - 09:51 PM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

Go to Start->Run, type %TEMP% and click OK. The TEMP folder will open. Select Edit from the menu, then Select All. Once all files and folders are highlighted, hit the delete key and send all files and folders to the Recycle bin.

Click here to download WinPFind .

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Locate and delete the following file:

C:\npclntax.dll

Empty the Recycle bin.

Double click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete, restart the computer back in Normal Mode.
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next reply!

#7
pcnoob

Posted 14 January 2007 - 11:44 PM

Member

Topic Starter
Member
120 posts

I did go ot the temp folder and it was empty unless i was supposed to add the % signs i did it wrong i didnt add them. I did search and delete the folder you said too , here is the log you requested

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 1/14/2007 10:35:13 PM
WinPFind v1.5.0 Folder = C:\Documents and Settings\home pc\Desktop\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/12/2003 12:52:36 AM 278668 C:\WINDOWS\epsuninst.exe (Marcelo Bona Boff)
UPX! 7/17/2002 3:07:04 AM 43008 C:\WINDOWS\unwash.exe ()

Checking %System% folder...
PEC2 8/23/2001 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 5/17/2006 10:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
PECompact2 8/9/2006 12:03:06 PM 8325544 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/9/2006 12:03:06 PM 8325544 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/23/2001 5:00:00 AM 1135616 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
WSUD 8/23/2001 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/28/2002 8:41:10 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
UPX! 4/27/2006 4:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe (S!Ri)
UPX! 1/9/2006 9:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe ()
UPX! 1/9/2006 9:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe ()
winsync 8/23/2001 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
UPX! 8/20/2006 9:45:50 PM 777472 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 8/20/2006 9:45:50 PM 777472 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 8/20/2006 9:45:50 PM 777472 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 8/20/2006 9:45:50 PM 777472 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/14/2007 10:33:10 PM S 2048 C:\WINDOWS\bootstat.dat ()
1/13/2007 2:10:50 PM H 0 C:\WINDOWS\LastGood\INF\oem12.inf ()
1/13/2007 2:10:50 PM H 0 C:\WINDOWS\LastGood\INF\oem12.PNF ()
1/14/2007 10:33:06 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
1/14/2007 10:33:14 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
1/14/2007 10:33:10 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG ()
1/14/2007 10:34:12 PM H 81920 C:\WINDOWS\system32\config\software.LOG ()
1/14/2007 10:33:10 PM H 790528 C:\WINDOWS\system32\config\system.LOG ()
1/13/2007 6:20:04 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
11/30/2006 2:15:54 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\1bee04c3-2b80-44f2-aeca-f70c1c5690f8 ()
11/30/2006 2:15:54 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
1/14/2007 10:32:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/11/2005 3:29:46 PM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl (Macrovision Corporation)
8/29/2002 3:41:00 AM 207360 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/10/2005 12:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/29/2002 3:41:00 AM 207360 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/28/2002 8:41:28 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/23/2001 5:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{14B87622-7E19-4EA8-93B3-97215F77A6BC} - MessengerStatsClient Class - CodeBase = http://messenger.zon...nt.cab31267.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft....k/?linkid=39204
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://by108fd.bay10...es/MsnPUpld.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{B8BE5E93-A60C-4D26-A2DC-220313175592} - ZoneIntro Class - CodeBase = http://cdn2.zone.msn...ro.cab34246.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macr...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/4/2005 8:57:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
8/11/2006 2:01:44 PM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/21/2006 9:08:26 PM 305 C:\Documents and Settings\All Users\Application Data\addr_file.html ()
12/4/2005 1:48:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
8/11/2006 2:03:44 PM 1177 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()
8/21/2006 1:18:18 PM 5938 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
12/4/2005 8:57:48 PM HS 84 C:\Documents and Settings\home pc\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
12/4/2005 1:48:50 PM HS 62 C:\Documents and Settings\home pc\Application Data\desktop.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...&ar=msnhome
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINDOWS\System32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...&ar=msnhome
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com
\\Local Page - C:\WINDOWS\System32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINDOWS\System32\msdxm.ocx ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - = ()
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8195
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 =
\\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - 8194 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = ()
\\{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = ()
\\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinRAR - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\ACE - {5E2121EE-0300-11D4-8D3B-444553540000} = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - = ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ATIPTA - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
WinPatrol - C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe (BillP Studios)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\home pc\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{147F0572-F8ED-4D7D-A2DE-49471C60BCB4} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINDOWS\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#8
JSntgRvr

Posted 15 January 2007 - 11:23 AM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

Go to Start->Run, type %TEMP% (Must use the % symbols) and click OK. The TEMP folder will open. Select Edit from the menu, then Select All. Once all files and folders are highlighted, hit the delete key and send all files and folders to the Recycle bin. Empty your Recycle Bin.

There is no sign of other malware in the computer. How is it doing?

#9
pcnoob

Posted 15 January 2007 - 11:53 AM

Member

Topic Starter
Member
120 posts

Hi, I went to %temp% and it would not let me dl=elete anything. it said

cannot delete ~DF1ADD
Access denied
Make sure the disk is not full or the write-protected and that the file is not in use.

Its still going slower then usual

#10
JSntgRvr

Posted 15 January 2007 - 12:37 PM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

Download the enclosed file:
Save and extract its contents to the desktop. It is a folder containing a Batch file, TempDir.bat . Once extracted, open the folder and double click on the TempDir.bat file . A new document will be produced. Copy and Paste its contents in a reply.

#11
pcnoob

Posted 15 January 2007 - 12:40 PM

Member

Topic Starter
Member
120 posts

Volume in drive C has no label.
Volume Serial Number is B044-6DD3

Directory of C:\Documents and Settings\home pc\Local Settings\Temp

01/15/2007 11:38 AM <DIR> .
01/15/2007 11:38 AM <DIR> ..
01/15/2007 11:07 AM 13,419 hpodvd09.log
01/14/2007 07:08 PM 1,342 MAR1.tmp
01/14/2007 07:08 PM 1,285 MAR2.tmp
01/14/2007 10:20 PM 1,342 MAR3.tmp
01/14/2007 10:20 PM 1,285 MAR4.tmp
01/14/2007 10:31 PM 1,342 MAR5.tmp
01/14/2007 10:31 PM 1,285 MAR6.tmp
01/14/2007 10:42 PM 1,342 MAR7.tmp
01/14/2007 10:42 PM 1,285 MAR8.tmp
01/15/2007 06:58 AM 1,342 MAR9.tmp
01/15/2007 06:58 AM 1,285 MARA.tmp
01/15/2007 08:57 AM 1,342 MARB.tmp
01/15/2007 08:57 AM 1,285 MARC.tmp
01/15/2007 11:27 AM 1,342 MARD.tmp
01/15/2007 11:27 AM 1,285 MARE.tmp
01/15/2007 08:57 AM 410 STS10.tmp
01/15/2007 11:27 AM 410 STS13.tmp
01/14/2007 07:09 PM 410 STS6.tmp
01/14/2007 10:20 PM 410 STS8.tmp
01/14/2007 10:32 PM 410 STSA.tmp
01/14/2007 10:42 PM 410 STSC.tmp
01/15/2007 06:58 AM 410 STSF.tmp
01/15/2007 11:28 AM 360,448 ~DFEC00.tmp
01/15/2007 11:28 AM 49,152 ~DFEC0D.tmp
01/15/2007 11:28 AM 360,448 ~DFF3C8.tmp
01/15/2007 11:28 AM 512 ~DFF3DE.tmp
26 File(s) 805,238 bytes
2 Dir(s) 70,198,030,336 bytes free

#12
JSntgRvr

Posted 15 January 2007 - 01:08 PM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\home pc\Local Settings\Temp\hpodvd09.log
C:\Documents and Settings\home pc\Local Settings\Temp\MAR1.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR2.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR3.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR4.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR5.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR6.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR7.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR8.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MAR9.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MARA.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MARB.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MARC.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MARD.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\MARE.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STS10.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STS13.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STS6.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STS8.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STSA.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STSC.tmp
C:\Documents and Settings\home pc\Local Settings\Temp\STSF.tmp
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Go to Start->Run, type %TEMP% (Must use the % symbols) and click OK. The TEMP folder will open. Confirm the files were deleted. Files such as ~DFEC00.tmp, are normal temp files.

Let me know How is the computer doing.

#13
pcnoob

Posted 16 January 2007 - 10:03 AM

Member

Topic Starter
Member
120 posts

~DFEC00.tmp is not there but all the others are. should i do kllbox again?

#14
JSntgRvr

Posted 16 January 2007 - 01:20 PM

Global Moderator

Global Moderator
11,579 posts

Hi, pcnoob :whistling:

~DFEC00.tmp is not there but all the others are. should i do kllbox again?

Run the TempDir.bat file again and post its results.

#15
pcnoob

Posted 16 January 2007 - 02:12 PM

Member

Topic Starter
Member
120 posts

I hope this is what you meant got kinda of confused

Volume in drive C has no label.
Volume Serial Number is B044-6DD3

Directory of C:\Documents and Settings\home pc\Local Settings\Temp

01/16/2007 01:11 PM <DIR> .
01/16/2007 01:11 PM <DIR> ..
01/16/2007 10:53 AM 5,751 hpodvd09.log
01/14/2007 07:08 PM 1,342 MAR1.tmp
01/15/2007 06:34 PM 1,285 MAR10.tmp
01/15/2007 06:53 PM 1,342 MAR11.tmp
01/15/2007 06:53 PM 1,285 MAR12.tmp
01/16/2007 07:32 AM 1,342 MAR13.tmp
01/16/2007 07:32 AM 1,285 MAR14.tmp
01/16/2007 08:01 AM 1,342 MAR15.tmp
01/16/2007 08:01 AM 1,285 MAR16.tmp
01/16/2007 08:27 AM 1,342 MAR17.tmp
01/16/2007 08:27 AM 1,285 MAR18.tmp
01/16/2007 09:00 AM 1,342 MAR19.tmp
01/16/2007 09:00 AM 1,285 MAR1A.tmp
01/16/2007 10:44 AM 1,342 MAR1B.tmp
01/16/2007 10:44 AM 1,285 MAR1C.tmp
01/16/2007 01:08 PM 1,342 MAR1D.tmp
01/16/2007 01:08 PM 1,285 MAR1E.tmp
01/14/2007 07:08 PM 1,285 MAR2.tmp
01/14/2007 10:20 PM 1,342 MAR3.tmp
01/14/2007 10:20 PM 1,285 MAR4.tmp
01/14/2007 10:31 PM 1,342 MAR5.tmp
01/14/2007 10:31 PM 1,285 MAR6.tmp
01/14/2007 10:42 PM 1,342 MAR7.tmp
01/14/2007 10:42 PM 1,285 MAR8.tmp
01/15/2007 06:58 AM 1,342 MAR9.tmp
01/15/2007 06:58 AM 1,285 MARA.tmp
01/15/2007 08:57 AM 1,342 MARB.tmp
01/15/2007 08:57 AM 1,285 MARC.tmp
01/15/2007 11:27 AM 1,342 MARD.tmp
01/15/2007 11:27 AM 1,285 MARE.tmp
01/15/2007 06:34 PM 1,342 MARF.tmp
01/16/2007 09:20 AM <DIR> MessengerCache
01/16/2007 08:29 AM <DIR> plugtmp
01/15/2007 08:57 AM 410 STS10.tmp
01/15/2007 11:27 AM 410 STS13.tmp
01/15/2007 06:34 PM 410 STS14.tmp
01/15/2007 06:53 PM 410 STS17.tmp
01/16/2007 07:32 AM 410 STS19.tmp
01/16/2007 08:01 AM 410 STS1B.tmp
01/16/2007 08:27 AM 410 STS1D.tmp
01/16/2007 09:00 AM 410 STS20.tmp
01/16/2007 10:44 AM 410 STS21.tmp
01/16/2007 01:09 PM 410 STS24.tmp
01/14/2007 07:09 PM 410 STS6.tmp
01/14/2007 10:20 PM 410 STS8.tmp
01/14/2007 10:32 PM 410 STSA.tmp
01/14/2007 10:42 PM 410 STSC.tmp
01/15/2007 06:58 AM 410 STSF.tmp
01/16/2007 01:09 PM 360,448 ~DF4610.tmp
01/16/2007 01:09 PM 49,152 ~DF461D.tmp
01/16/2007 01:09 PM 360,448 ~DF4E63.tmp
01/16/2007 01:09 PM 512 ~DF4E75.tmp
01/16/2007 08:56 AM 16,384 ~DFC221.tmp
51 File(s) 838,250 bytes
4 Dir(s) 70,189,920,256 bytes free