Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My log. [RESOLVED]

Started by Mike7392000 , Jul 04 2005 10:13 AM

  • Please log in to reply

#16
Mike7392000
Posted 13 July 2005 - 03:15 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I followed your instructions and successfullly deleted the following:
C:\Program Files\wwrxsour\b0xDI8BM.dll
C:\Program Files\wwrxsour\b0xDI8BM.exe
C:\Program Files\wwrxsour\cnml.exe

However upon reboot, the following file was still there:
C:\WINDOWS\system32\drivers\winik.sys
  • 0

Advertisements

#17
Excal
Posted 13 July 2005 - 06:49 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Registry Search Tool

Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

winik

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.
  • 0

#18
Mike7392000
Posted 13 July 2005 - 06:59 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "winik" 13/07/2005 13:56:34

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000]
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK\0000\Control]
"ActiveService"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinIK]
"DisplayName"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinIK\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinIK\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinIK\Enum]
"0"="Root\\LEGACY_WINIK\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK\0000]
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WinIK]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WinIK]
"DisplayName"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WinIK\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]
"Service"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000]
"DeviceDesc"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK\0000\Control]
"ActiveService"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIK]
"DisplayName"="WinIK"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIK\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIK\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIK\Enum]
"0"="Root\\LEGACY_WINIK\\0000"

[HKEY_USERS\S-1-5-21-1356174792-2906385658-1794019246-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\WINDOWS\\system32\\drivers\\winik.sys"

[HKEY_USERS\S-1-5-21-1356174792-2906385658-1794019246-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\drivers\\winik.sys"
  • 0

#19
Excal
Posted 13 July 2005 - 07:39 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

go to start > run and type:

sc stop winik

then type in:

sc delete winik

Reboot and let me know if it was successful


Thanks,

:tazz:

Excal
  • 0

#20
Mike7392000
Posted 13 July 2005 - 07:59 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I entered the commands you gave me and all that happened was what appeared to be a MS Dos window opened, closed immediately and the "run" box also closed with no error messages. The file is still there.
  • 0

#21
Excal
Posted 13 July 2005 - 08:04 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Very good.

Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\system32\drivers\winik.sys

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt.

  • 0

#22
Mike7392000
Posted 13 July 2005 - 08:11 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Upon clicking "Yes" to the reboot prompt, I recieved this error message.
"PendingFileRenameOperations Registry Data has been Removed by External Process!"

After clicking ok I am returned to killbox and it does not restart.
  • 0

#23
Excal
Posted 13 July 2005 - 08:21 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Restart manually please.

Boot into safe mode.


see if you can delete that file manually now if its still there.



Thanks,

:tazz:

Excal

Edited by Excal, 13 July 2005 - 08:23 AM.

  • 0

#24
Mike7392000
Posted 13 July 2005 - 08:49 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Nope, killbox has created a backup of the file, would this mean that it was successfully deleted and something else caused it to be put back in or does Killbox automatically create backups whether it's successfull or not?

When attempting to manually delete the file, I once again recieved the "Cannot delete (filename):access is denied. Make sure the disk is not full or write protected and that the file is not currently in use." error message.

Technology's so frustrating at times. :tazz:
  • 0

#25
Excal
Posted 13 July 2005 - 09:04 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Go back to safe mode (which is now you offical second home :tazz:)

go to start > run and type:

sc stop winik


Now try to delete that file while still in safe mode.

reboot
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notebook onto your post

  • 0

Advertisements

#26
Mike7392000
Posted 13 July 2005 - 09:27 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I was once again unable to delete winik.sys (cursed thing :tazz:). Here's my startup list though.

StartupList report, 13/07/2005, 16:25:51
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Mike\Desktop\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\AOL\1121172593\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1121172593\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Mike\Desktop\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Mike\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
Apoint = C:\Program Files\Apoint2K\Apoint.exe
CeEPOWER = C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
CPLDBL10 = C:\Program Files\EzButton\CPLDBL10.EXE
CeEKEY = C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
TPNF = C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
Motive SmartBridge = C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
msnappau = "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
dg0HYkUw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
16 gram bird locks = C:\Documents and Settings\All Users\Application Data\Build bags 16 gram\EXITELSE.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
WinampAgent = C:\Program Files\Winamp\winampa.exe
dI0GQ5Ex = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
bAVJYAEw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
YkFHW5ow = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
aQFGRA1x = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eI0HXkEw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
YEVGZ5Uw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
REVGUcUw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
aY0HQcUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RMFGSsEx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
dYVGUAov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
sais = c:\program files\180solutions\sais.exe
awVHWsUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ck0HRkEx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ZY0GSAEw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eIVHQgov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cApGWw1x = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fg0HRoUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fk0HWcov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eMVGVcox = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
bMpGYA1v = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cYVJScox = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RUFHYwEw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ZU0GSoov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ZkFHTgUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
QYVHUs1w = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fk0HZkUw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cYFJYgov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ckVJXc1v = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
aMFHYsow = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cYFHRgEx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
dI0GXc1w = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fUFJWAov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
YE0HUgUw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
bEpGTw1x = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ewVHZcEx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
bkpGWoov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
Rg0GR5ov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
QYFHVwow = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eUFJQc1w = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eU0HT51v = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RUFGTg1v = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
aQpHX5Ux = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RkFJWAow = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
QMVHVcov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
QA0HWkUw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fApHT5Ux = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ZUpGQ9Ux = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eQ0HU9Ew = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
QEFJWcov = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
dApGZwow = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RwpHX9Ux = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
Zg0GTsow = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
bMpGTc1w = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cg0HTkEx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
eUVJYgEw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
awpHS9Ux = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
dYpGWgUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RgpGWoUw = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cwFJRA1x = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
dwVGXg1x = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
awVHRgUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ZEpGZ51w = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fYFHRAUx = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
cMFJW11w = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ew0HYgox = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
RIpHZs1v = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
ZYVGZw1x = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
fwVJRcox = C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
HostManager = C:\Program Files\Common Files\AOL\1121172593\ee\AOLHostManager.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AOL Toolbar Launcher - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

A3358486918E3EBE.job
AB4B53ED9314C4BD.job
ACCD57D1918AC969.job
AFD8D70E910B4B5A.job
B1723C50966DB3CC.job
B3789DFD93EF162D.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...ry/msgrchkr.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab30149.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...MineSweeper.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0309.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...StatsClient.cab

[YahooYMailTo Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
CODEBASE = http://us.dl1.yimg.c.../ymmapi_416.dll

[SassCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft...ols/SassCln.CAB

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://messenger.zon...ro.cab30149.cab

[YAddBook Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\yaddbook.dll
CODEBASE = http://us.dl1.yimg.c...utocomplete.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.4.2_04]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.4.2_05]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[ZoneChess Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Chess.ocx
CODEBASE = http://messenger.zon...ss.cab30149.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...352/mcfscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\System32\CSLSP.DLL
Protocol #2: C:\WINDOWS\System32\CSLSP.DLL
Protocol #3: C:\WINDOWS\System32\CSLSP.DLL
Protocol #4: C:\WINDOWS\System32\CSLSP.DLL
Protocol #5: C:\WINDOWS\System32\CSLSP.DLL
Protocol #6: C:\WINDOWS\System32\CSLSP.DLL
Protocol #7: C:\WINDOWS\System32\CSLSP.DLL
Protocol #8: C:\WINDOWS\System32\CSLSP.DLL
Protocol #9: C:\WINDOWS\System32\CSLSP.DLL
Protocol #10: C:\WINDOWS\System32\CSLSP.DLL
Protocol #11: C:\WINDOWS\System32\CSLSP.DLL
Protocol #12: C:\WINDOWS\System32\CSLSP.DLL
Protocol #13: C:\WINDOWS\System32\CSLSP.DLL
Protocol #14: C:\WINDOWS\System32\CSLSP.DLL
Protocol #15: C:\WINDOWS\System32\CSLSP.DLL
Protocol #16: C:\WINDOWS\System32\CSLSP.DLL
Protocol #17: C:\WINDOWS\System32\CSLSP.DLL
Protocol #18: C:\WINDOWS\System32\CSLSP.DLL
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\rsvpsp.dll
Protocol #24: C:\WINDOWS\system32\rsvpsp.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll
Protocol #27: C:\WINDOWS\system32\mswsock.dll
Protocol #28: C:\WINDOWS\system32\mswsock.dll
Protocol #29: C:\WINDOWS\system32\mswsock.dll
Protocol #30: C:\WINDOWS\system32\mswsock.dll
Protocol #31: C:\WINDOWS\system32\mswsock.dll
Protocol #32: C:\WINDOWS\system32\mswsock.dll
Protocol #33: C:\WINDOWS\system32\mswsock.dll
Protocol #34: C:\WINDOWS\system32\mswsock.dll
Protocol #35: C:\WINDOWS\system32\mswsock.dll
Protocol #36: C:\WINDOWS\system32\mswsock.dll
Protocol #37: C:\WINDOWS\System32\CSLSP.DLL

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Amsmpu4p: \??\C:\DOCUME~1\Mike\LOCALS~1\Temp\Amsmpu4p.sys (manual start)
Alps Pointing-device Filter Driver: System32\DRIVERS\Apfiltr.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Atheros AR5001 Wireless Network Adapter Service: System32\DRIVERS\ar5211.sys (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
CeEPwrSvc: C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe (autostart)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Dual-Mode DSC(2770): System32\Drivers\SQcaptur.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Dritek HotKey Keyboard Filter Driver: System32\Drivers\DKbFltr.sys (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Dritek Port I/O Driver: System32\Drivers\DPortIO.sys (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Compal E-POWER Driver: System32\Drivers\hkdrv.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee Firewall: "C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (autostart)
McAfee Firewall Network Filter Miniport: System32\DRIVERS\fw220.sys (manual start)
McShield: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe" (manual start)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NaiFiltr: System32\DRIVERS\NaiFiltr.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net MD: System32\Drivers\NETMDUSB.sys (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SMC IrCC Miniport Device Driver: System32\DRIVERS\smcirda.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Sony SPTI Service: C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SrvcEKIOMngr: System32\Drivers\EKIoMngr.sys (system)
SrvcEPIOMngr: System32\Drivers\EPIoMngr.sys (system)
SrvcSSIOMngr: System32\Drivers\SSIoMngr.sys (system)
SrvcTPIOMngr: System32\Drivers\TPIoMngr.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E53F1653-F7C5-4740-91CF-628F26C28529} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TOSHIBA Software Modem: System32\DRIVERS\LTSM.sys (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WinIK: System32\Drivers\WinIK.sys (system)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Vimicro Z302 Mic Audio Filter Driver: system32\drivers\UsbMicfilt.sys (manual start)
NTPort Library Driver: \??\C:\WINDOWS\System32\zntport.sys (autostart)
PCL-W310: System32\Drivers\usbvm302.sys (manual start)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011: system32\drivers\wA301a.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 43,226 bytes
Report generated in 1.407 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#27
Excal
Posted 13 July 2005 - 07:37 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi,

Never had an infection this hard to get rid of!!

Lets back up your registry first:

Go to Start > Run - type:

regedit

Click OK.

When you get into the registry, on the leftside, click to highlight My Computer at the top. Then go up to "File > Export" Make sure in that window there is a tick next to "All" under Export Branch. Leave the "Save As Type" as "Registration Files", then save it as backup to a convenient location. Remember where you put it (I don't recommend putting it on the desktop) This is so the registry can be restored to this point should anything be deleted by accident or something else happens. It may take a minute. Just let it go until it's done.

Now I need you to look in the C:\Program Files\wwrxsour\ folder and list all the files that are in there?



Thanks,

:tazz:

Excal
  • 0

#28
Mike7392000
Posted 14 July 2005 - 12:13 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hey, sorry I've been so much trouble and thanks for still trying to help me!

I've backed up my registry and the only file in C:\Program Files\wwrxsour\ is "profile", it is a "DAT File".
  • 0

#29
Excal
Posted 14 July 2005 - 12:44 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
No trouble mike :tazz:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


1. Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WinIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIK]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinIK]

[HKEY_USERS\S-1-5-21-1356174792-2906385658-1794019246-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"=-

[HKEY_USERS\S-1-5-21-1356174792-2906385658-1794019246-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"=-


2. Click here to download Pocket Killbox by Option^Explicit.

3. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

4. Double-click on Killbox.exe to run Killbox which you downloaded earlyer. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\Program Files\wwrxsour\b0xDI8BM.dll
C:\Program Files\wwrxsour\b0xDI8BM.exe
C:\Program Files\wwrxsour\cnml.exe
C:\Program Files\wwrxsour\profile.dat
C:\WINDOWS\system32\drivers\winik.sys
c:\program files\180solutions\sais.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.


5. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

6. Delete the folder.

C:\Program Files\wwrxsour

7. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vsgjoauko...yA8xXooVB0.html

8. Reboot in normal mode

9. Please go here and upload

C:\Documents and Settings\All Users\Application Data\Build bags 16 gram\EXITELSE.exe

then please post the results in your next reply along with a fresh Hijackthis log.
  • 0

#30
Mike7392000
Posted 14 July 2005 - 05:51 AM

Mike7392000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Winik.sys remains in its folder still!
C:\Documents and Settings\All Users\Application Data\Build bags 16 gram\EXITELSE.exe - I could not find this folder, which is strange because I know I have been in it a few times. It had a few files with odd names including one called "Dog Mess Noun" if I remember correctly. The .exes in this folder used to crash hourly presenting me with two annoying error messages each time they did so, I could not delete the files as they would be reinstalled soon enough. I eventually managed to edit and erase the contents of the files in notepad while keeping the file to avoid reinstallation (Exitelse.exe I'm confident was not one of the files). This was a few months ago, but now the entire folder seems to have disappeared. Here's my HijackThis log.

I managed to delete "C:\Program Files\wwrxsour\" so I'm not sure why it still appears in my HJT log. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 12:47:23, on 14/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\AOL\1121172593\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1121172593\ee\AOLServiceHost.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Opera75\opera.exe
C:\Documents and Settings\Mike\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [dg0HYkUw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [16 gram bird locks] C:\Documents and Settings\All Users\Application Data\Build bags 16 gram\EXITELSE.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [dI0GQ5Ex] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [bAVJYAEw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [YkFHW5ow] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [aQFGRA1x] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eI0HXkEw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [YEVGZ5Uw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [REVGUcUw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [aY0HQcUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RMFGSsEx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [dYVGUAov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [awVHWsUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ck0HRkEx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ZY0GSAEw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eIVHQgov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cApGWw1x] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fg0HRoUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fk0HWcov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eMVGVcox] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [bMpGYA1v] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cYVJScox] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RUFHYwEw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ZU0GSoov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ZkFHTgUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [QYVHUs1w] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fk0HZkUw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cYFJYgov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ckVJXc1v] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [aMFHYsow] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cYFHRgEx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [dI0GXc1w] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fUFJWAov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [YE0HUgUw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [bEpGTw1x] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ewVHZcEx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [bkpGWoov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [Rg0GR5ov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [QYFHVwow] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eUFJQc1w] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eU0HT51v] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RUFGTg1v] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [aQpHX5Ux] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RkFJWAow] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [QMVHVcov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [QA0HWkUw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fApHT5Ux] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ZUpGQ9Ux] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eQ0HU9Ew] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [QEFJWcov] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [dApGZwow] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RwpHX9Ux] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [Zg0GTsow] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [bMpGTc1w] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cg0HTkEx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [eUVJYgEw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [awpHS9Ux] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [dYpGWgUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RgpGWoUw] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cwFJRA1x] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [dwVGXg1x] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [awVHRgUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ZEpGZ51w] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fYFHRAUx] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [cMFJW11w] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ew0HYgox] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [RIpHZs1v] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [ZYVGZw1x] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [fwVJRcox] C:\PROGRA~1\wwrxsour\b0xDI8BM.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1121172593\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab30149.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab30149.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...352/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP