>>* Log goes here *<<
Logfile of HijackThis v1.99.1
Scan saved at 12:57:42 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\uupvar.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mandy\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol....mes/default.jsp
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMEBAR\gamebar.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CEngine Object - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: (no name) - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMEBAR\gamebar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [activex monitor] wputxp.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [Winamp Agent] C:\WINDOWS\System32\winamp.exe
O4 - HKLM\..\Run: [Windows Desktop Controler] windesktop.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [USB Drivers1] msfierwall.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [4hre23v1] C:\Program Files\4hre23v1\4hre23v1.exe
O4 - HKLM\..\Run: [686559a7d273] C:\WINDOWS\System32\adsmsext.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [ORWPDLL] C:\WINDOWS\ORWPDLL.EXE
O4 - HKLM\..\Run: [ORWPENC] C:\WINDOWS\ORWPENC.EXE
O4 - HKLM\..\Run: [wposxi] c:\windows\system32\wposxi.exe
O4 - HKLM\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Warning: do not remove it! (system)] cfpsys.exe
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\elitexay32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EasyMessage] "C:\Program Files\Zango Messenger\em2.exe" -wait
O4 - HKLM\..\Run: [Fdmph] c:\Program Files\Fiyhgp\Fajmm.exe
O4 - HKLM\..\Run: [yE3a] C:\WINDOWS\vlpxc.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\12900a5b.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Ycdwdh.exe
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SECURITY.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [hpmszxs] c:\windows\system32\wnmoinv.exe
O4 - HKLM\..\Run: [BadSubtract] C:\Program Files\InterMute\BadSubtract\BadSub.exe -run
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uupvar.exe reg_run
O4 - HKLM\..\Run: [racscay] c:\windows\system32\rcmbpg.exe r
O4 - HKLM\..\RunServices: [activex monitor] wputxp.exe
O4 - HKLM\..\RunServices: [Windows Desktop Controler] windesktop.exe
O4 - HKLM\..\RunServices: [USB Drivers1] msfierwall.exe
O4 - HKLM\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunOnce: [8vrolo.exe] C:\WINDOWS\System32\8vrolo.exe /k
O4 - HKLM\..\RunOnce: [Trojan Remover] C:\Program Files\Trojan Remover\uev1.exe TRLOG.TXT
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Desktop Controler] windesktop.exe
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg.dll"
O4 - HKCU\..\RunServices: [Windows Desktop Controler] windesktop.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by9fd.bay9.ho...es/MsnPUpld.cab
O16 - DPF: {5B59DA81-5B9E-4F3D-AF5B-A0C644037165} (AIM PicDownloader Control) - http://pictures04.ai...AIM.9.5.1.5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108793591831
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {8F9D2276-C29C-4122-A7B6-B323773B385B} (e-games.installer) - http://dreamville.e-.../axDown2003.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll
O23 - Service: BadSubtract Content Filter (BadSubtract) - InterMute, Inc. - C:\Program Files\InterMute\BadSubtract\BdSubSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FlowProtectorService - Unknown owner - C:\Program Files\CheckFlow\FlowProtector\4.0.0.10\FlowService.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
Log from another thing
"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Windows Desktop Controler" = "windesktop.exe" [null data]
"Windows Service Drivers" = "mswin32.exe" [null data]
"PCShield" = "regsvr32 /s "C:\WINDOWS\System32\sfg.dll"" [MS]
"xp_system" = "C:\WINDOWS\inet20057\winlogon.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"activex monitor" = "wputxp.exe" [file not found]
"Microsoft Internet Explorer" = "C:\WINDOWS\System32\iexplore.exe" [file not found]
"Winamp Agent" = "C:\WINDOWS\System32\winamp.exe" [file not found]
"Windows Desktop Controler" = "windesktop.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s" ["Panda Software International"]
"USB Drivers1" = "msfierwall.exe" [file not found]
"winupdtl" = "C:\WINDOWS\System32\winupdt.exe" [file not found]
"AUNPS2" = "RUNDLL32 AUNPS2.DLL,_Run@16" [MS]
"4hre23v1" = "C:\Program Files\4hre23v1\4hre23v1.exe" [empty string]
"686559a7d273" = "C:\WINDOWS\System32\adsmsext.exe" [file not found]
"BMan" = "C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe" [file not found]
"ORWPDLL" = "C:\WINDOWS\ORWPDLL.EXE" ["UpdateMonitor"]
"ORWPENC" = "C:\WINDOWS\ORWPENC.EXE" ["System Service"]
"wposxi" = "c:\windows\system32\wposxi.exe" [file not found]
"Windows Service Drivers" = "mswin32.exe" [null data]
"Windows Processe Manager" = "mspn32.exe" [file not found]
"System CSRSS Patch" = "scrtkfg.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Warning: do not remove it! (system)" = "cfpsys.exe" ["©2002-2004, Password Protect Software. All Rights Reserved."]
"checkrun" = "c:\windows\system32\elitexay32.exe" [file not found]
"cfgmgr51" = "RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun" [MS]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" [file not found]
"EasyMessage" = ""C:\Program Files\Zango Messenger\em2.exe" -wait" [file not found]
"Fdmph" = "c:\Program Files\Fiyhgp\Fajmm.exe" [file not found]
"yE3a" = "C:\WINDOWS\vlpxc.exe" [file not found]
"System backup" = "C:\WINDOWS\System32\12900a5b.exe" [null data]
"Uninstall_WinTools" = "C:\WINDOWS\Temp\WTuninst.exe /remove" [file not found]
"PS1" = "C:\WINDOWS\System32\ps1.exe" [file not found]
"secure" = "C:\WINDOWS\System32\Ycdwdh.exe" [file not found]
"PCShield" = "regsvr32 /s "C:\WINDOWS\System32\sfg.dll"" [MS]
"Service Host" = "C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SVCHOST.EXE" [file not found]
"Disk Keeper" = "C:\WINDOWS\System32\Services\{CC18C7EC-BBC4-4FD5-853B-014E272A5AF4}\SECURITY.EXE" [file not found]
"Win Server Updt" = "C:\WINDOWS\wupdt.exe" [file not found]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"hpmszxs" = "c:\windows\system32\wnmoinv.exe" [file not found]
"BadSubtract" = "C:\Program Files\InterMute\BadSubtract\BadSub.exe -run" ["InterMute, Inc."]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"KavSvc" = "C:\WINDOWS\System32\uupvar.exe reg_run" [null data]
"racscay" = "c:\windows\system32\rcmbpg.exe r" [null data]
"xp_system" = "C:\WINDOWS\inet20057\winlogon.exe" [null data]
"Microsoft standard protector" = "C:\WINDOWS\winsocks5.exe" [null data]
"ControlPanel" = "C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile" [null data]
"PSGuard" = "C:\Program Files\PSGuard\PSGuard.exe" ["Shuddex Global Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"8vrolo.exe" = "C:\WINDOWS\System32\8vrolo.exe /k" [null data]
"Trojan Remover" = "C:\Program Files\Trojan Remover\uev1.exe TRLOG.TXT" [file not found]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{01F44A8A-8C97-4325-A378-76E68DC4AB2E}\(Default) = "Band Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll" ["Yahoo! Inc."]
{0519A9C9-064A-4cbc-BC47-D0EACD581477}\(Default) = "ICOOExternal Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICOO Loader\addons\icooue.dll" ["ICOO Soft, LTD."]
{2E246FAE-8420-11D9-870D-000C2917DE7F}\(Default) = "Loader Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Loader.dll" [empty string]
{465A59EC-20E5-4fca-A38A-E5EC3C480218}\(Default) = "ICOODManager Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICOO Loader\addons\icoou.dll" ["ICOO Soft, LTD."]
{4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D}\(Default) = "Game Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GAMEBAR\gamebar.dll" [empty string]
{5321E378-FFAD-4999-8C62-03CA8155F0B3}\(Default) = "HBO Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\inet20057\3.00.05.dll" [empty string]
{564FFB73-9EEF-4969-92FA-5FC4A92E2C2A}\(Default) = "SafeGuard Protect PCShield"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\sfg.dll" ["SafeGuard Corporation"]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
{A44B961C-8C36-470f-8555-EDA0EFC1E710}\(Default) = "CEngine Object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "For &People..."
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\ShellTit.DLL" ["Panda Software International"]
"{A2E92CCB-B810-4FCF-BC8A-651D1806D71D}" = "EEShredFolder"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\EE\3.1\EEShell.dll" ["Baltsoft"]
"{D25111DA-EB0A-4EAC-887B-3CF72DF7A390}" = "EEShredFile"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\EE\3.1\EEShell.dll" ["Baltsoft"]
"{2B83810F-F4F3-4673-A08B-6E2FBA711ED1}" = "EEShell"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\EE\3.1\EEShell.dll" ["Baltsoft"]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" [null data]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\InterMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\InterMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "run" = "C:\WINDOWS\inet20057\winlogon.exe" [null data]
Group Policies [Description]:
-----------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
[prevents changes to Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]
HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001
[removes Display Properties, Desktop (tab)]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\System32\wp.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "mandy" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"SpySubtract" -> shortcut to: "C:\Program Files\InterMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavlsp.dll ["Panda Software "], 01 - 02, 18
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D}" = "Game Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GAMEBAR\gamebar.dll" [empty string]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_1.dll" ["Yahoo! Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]
HKLM\Software\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\systb.dll" [file not found]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = "AOL Search"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
BadSubtract Content Filter, BadSubtract, "C:\Program Files\InterMute\BadSubtract\BdSubSvc.exe" ["InterMute, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
FlowProtectorService, FlowProtectorService, "C:\Program Files\CheckFlow\FlowProtector\4.0.0.10\FlowService.exe" [file not found]
Hardware Clock Driver, hwclock, "C:\WINDOWS\System32\hwclock.exe" [file not found]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Panda anti-virus service, PAVSRV, ""C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe"" ["Panda Software"]
StyleXPService, StyleXPService, ""C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"" [file not found]
WebSeach Toolbar support NT service, TBPSSvc, "C:\PROGRA~1\Toolbar\TBPSSvc.exe" [file not found]
WinTools for IE service, WinToolsSvc, "C:\Program Files\Common Files\WinTools\WToolsS.exe" [file not found]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Enjoy