Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown spyware/adware [CLOSED]

Started by Dimmae , Jul 05 2005 03:09 PM

  • This topic is locked This topic is locked

#31
Dimmae
Posted 27 July 2005 - 03:49 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:tazz: THAT took a while. I had to run IE to run the scan...it was blocking the Panda webpage. I played with the security settings and had to list it as a Trusted Site. Finally, the PC let the page load, and I got the scan to run -- it took a couple of hours. I was able to save the scan - it cleaned some things but not others. After saving the scan, the PC eventually locked up and I had to power it down. Here are the ActiveScan results:

Incident Status Location

Adware:adware/alwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free Cell Phone.ico
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/gator No disinfected C:\GatorPatch.log
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\msxct1.ini
Adware:adware/weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe
Adware:adware/novo No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CDM
Spyware:spyware/searchcentrix No disinfected HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINTOOLSSVC
Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS
Adware:adware/elitebar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM\IEBAR
Adware:adware/ncase No disinfected HKEY_CLASSES_ROOT\TypeLib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
Adware:Adware/TopConvert No disinfected C:\a.exe
Virus:Trj/Ranky.GK Disinfected C:\custered.exe
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\80MT3MWF\prompt[1].html
Adware:Adware/nCase No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\init[1].js
Virus:Trj/LowZones.BB No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe[kans.reg]
Virus:Trj/LowZones.BB No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe[kansup.reg]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe[update.html]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\16753005.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\46668148.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\5607128.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\6658363.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\71649074.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\78267192.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\81207561.exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Owner\94183158.exe
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\KaZaA Lite\bdcore.dll
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4DD0F032-E250-4CEB-8D63-196E80\55BA582B-A898-47DF-AABD-8943AC
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\51CD04D7-AAB8-41B5-ACED-2A7525\53E9CE5B-3CA9-4C5F-A049-DE00F7
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\26CE59F8-205C-4BAD-990B-B74BBB
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\65D5C2C2-BEC4-45E6-94E0-65E541
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\E9EB05E4-E53C-4871-8DE2-CD6873
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7F55E021-1068-42EC-A00C-1D2670\361CA08B-6CE8-4D5D-A662-9BDB2D
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7F55E021-1068-42EC-A00C-1D2670\6C337A62-E857-4EE0-83AF-E2FAC2
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\6102DBCE-23FD-430B-95C6-3D2671
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\C211BE3C-0C72-4F05-A4A9-7C1F77
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\D5624A9B-D882-4136-BF38-0B8B2E
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\F11E853F-2C55-4A60-929C-196226
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\FBFD8693-E86E-475E-8C88-FB3736
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EC67D9CB-8803-457B-84F5-9A498C\9D3FAF71-C2AF-4CE8-9DB9-4C9080
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EC67D9CB-8803-457B-84F5-9A498C\F3A6D67D-1B5C-495C-95D4-25AA87
Virus:Trj/LowZones.BB No disinfected C:\sd934k.exe[kans.reg]
Virus:Trj/LowZones.BB No disinfected C:\sd934k.exe[kansup.reg]
Spyware:Spyware/ISTbar No disinfected C:\sd934k.exe[update.html]
Virus:Trj/LowZones.BB Disinfected C:\temp\kans.reg
Virus:Trj/LowZones.BB Disinfected C:\temp\kansup.reg
Spyware:Spyware/ISTbar No disinfected C:\temp\update.html
Adware:Adware/Ucmore No disinfected C:\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore No disinfected C:\UCmore - The Search Accelerator\UCmore Tour.lnk
Adware:Adware/Transponder No disinfected C:\WINDOWS\pnfanin.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM32\75836563.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM32\869274.exe
Virus:W32/Sober.I.worm Disinfected C:\WINDOWS\SYSTEM32\clonzips.ssc
Virus:Bck/Sdbot.DMJ Disinfected C:\WINDOWS\SYSTEM32\eraseme_42230.exe
Virus:W32/Sdbot.EED.worm Disinfected C:\WINDOWS\SYSTEM32\eraseme_73851.exe
Virus:Bck/Sdbot.DMJ Disinfected C:\WINDOWS\SYSTEM32\eraseme_73867.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\filen.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i
Virus:W32/Sdbot.CXM.worm Disinfected C:\WINDOWS\SYSTEM32\msfirewalls.exe
Virus:Trj/Ranky.GK Disinfected C:\WINDOWS\SYSTEM32\ntsubsys.exe
Virus:W32/Sdbot.DYO.worm Disinfected C:\WINDOWS\SYSTEM32\rpcclient.exe
Virus:W32/Sdbot.DIR.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP3072
Virus:W32/Sdbot.CXM.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP3728
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\SYSTEM32\tipbovgn.exe
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe
Virus:W32/Sdbot.EED.worm Disinfected C:\WINDOWS\winmon.exe
Virus:Trj/LowZones.BB No disinfected C:\xdf5r.exe[kansup.reg]
Spyware:Spyware/ISTbar No disinfected C:\xdf5r.exe[update.html]
Virus:Trj/LowZones.BB No disinfected C:\xdf5r.exe[kans.reg]

Thanks,
Dimmae
  • 0

Advertisements

#32
Excal
Posted 27 July 2005 - 10:51 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CDM]

[-HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR]

[-HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINTOOLSSVC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM\IEBAR]

[-HKEY_CLASSES_ROOT\TypeLib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}]



Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


Just a few random bad files and folders to clean up.

Please remove the following folders using Windows Explorer (if present):

C:\Program Files\KaZaA Lite
C:\UCmore - The Search Accelerator
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\a.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.
C:\Documents and Settings\Owner\16753005.exe
C:\Documents and Settings\Owner\46668148.exe
C:\Documents and Settings\Owner\5607128.exe
C:\Documents and Settings\Owner\6658363.exe
C:\Documents and Settings\Owner\71649074.exe
C:\Documents and Settings\Owner\78267192.exe
C:\Documents and Settings\Owner\81207561.exe
C:\Documents and Settings\Owner\94183158.exe
C:\custered.exe
C:\WINDOWS\pnfanin.exe
C:\WINDOWS\SYSTEM32\75836563.exe
C:\WINDOWS\SYSTEM32\869274.exe
C:\WINDOWS\SYSTEM32\clonzips.ssc
C:\WINDOWS\SYSTEM32\eraseme_42230.exe
C:\WINDOWS\SYSTEM32\eraseme_73851.exe
C:\WINDOWS\SYSTEM32\eraseme_73867.exe
C:\WINDOWS\SYSTEM32\filen.exe
C:\WINDOWS\SYSTEM32\i
C:\WINDOWS\SYSTEM32\msfirewalls.exe
C:\WINDOWS\SYSTEM32\ntsubsys.exe
C:\WINDOWS\SYSTEM32\rpcclient.exe
C:\WINDOWS\SYSTEM32\TFTP3072
C:\WINDOWS\SYSTEM32\TFTP3728
C:\WINDOWS\SYSTEM32\tipbovgn.exe
C:\WINDOWS\weirdontheweb_topc.exe
C:\WINDOWS\winmon.exe
C:\xdf5r.exe[kansup.reg]
C:\xdf5r.exe[update.html]
C:\xdf5r.exe[kans.reg]
C:\sd934k.exe[kans.reg]
C:\sd934k.exe[kansup.reg]
C:\sd934k.exe[update.html]
C:\WINDOWS\SYSTEM32\Free Cell Phone.ico
C:\WINDOWS\SYSTEM32\winupdt.008
C:\GatorPatch.log
C:\WINDOWS\abiuninst.htm
C:\WINDOWS\msxct1.ini
C:\WINDOWS\weirdontheweb_topc.exe

Post back when you finish and tell me how your computer is running :tazz:
  • 0

#33
Dimmae
Posted 29 July 2005 - 12:11 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
OK, Excal... I finished the steps you asked me to do...everything went well except when I was in HJT some of the files were not there to delete:
custered.exe
clonzips.ssc
eraseme_XXXXX.exe (although there were 4 files with different numbers in the filenames...)
filen.exe
msfirewalls.exe
ntsubsys.exe
rpcclient.exe
TFTPXXXX (although there were 4 files with different numbers in the filenames...)
winmon.exe

I haven't used the PC much after finishing this stuff, but it seems to still be hanging up at times...

Thanks again for all the help,
Dimmae :tazz:
  • 0

#34
Dimmae
Posted 29 July 2005 - 12:13 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
...oh, and here's a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:16 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\desktop\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MusicMatch\MusicMatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsuppor...MPChWrapper.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.subs...ve/makeover.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117517844765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon....3.1/ttinst.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

Dimmae
  • 0

#35
Excal
Posted 29 July 2005 - 10:27 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Everything looks good on your hijackthis log, lets take a look at a silent runners log to make sure thats clean.
  • Please click this link to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

  • NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
    For some time it will look like nothing is happening. Just keep waiting.
  • Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here

  • 0

#36
Dimmae
Posted 01 August 2005 - 12:08 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:tazz: OK, Excal... Ran the program and here is the log. The PC is still hanging up if it is left alone for more than a few minutes, especially when it is hooked up to the internet:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"igfsta" = "C:\WINDOWS\System32\igfsta.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]
"MoneyAgent" = ""c:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"nwiz" = "nwiz.exe /install" [file not found]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SM1BG" = "C:\WINDOWS\SM1BG.EXE" ["Cypress Semiconductor"]
"MimBoot" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mimboot.exe" ["Musicmatch, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\UNBIND.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\desktop\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\desktop\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\desktop\ewido\security suite\context.dll" ["ewido networks"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"hp center" -> shortcut to: "C:\Program Files\hp center\137903\Program\BackWeb-137903.exe -startup" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}" = "REALBAR" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll" ["Visicom Media"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\ = "MoneySide" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [file not found]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"" ["Network Associates, Inc."]
ewido security suite control, ewido security suite control, "C:\desktop\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe"" ["Network Associates, Inc."]
MD Simple Burner Service, NetMDSB, "C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe" ["Sony Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Virtual NIC Service, PackethSvc, "C:\WINDOWS\System32\PackethSvc.exe" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 19 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 24 seconds.
---------- (total run time: 155 seconds)

Thanks,
Dimmae
  • 0

#37
Excal
Posted 01 August 2005 - 12:13 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Run this online virus scan: ActiveScan - Save the results from the scan!
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notebook onto your post
Please post the activescan log and the startuplist.


Thanks,

:tazz:

Excal
  • 0

#38
Dimmae
Posted 02 August 2005 - 12:39 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:tazz: Wow - had to use IE for Activescan... Ran a scan once, it took 3 hours and found about 37 things and cleaned 8...PC would not let me save the log. I had to power down and lost the data. Tried to run the scan a few more times, and had to power down each time. Finally it let me run the thing and I saved the scan - what a pain! Powered down and back up about 10 times tonite... Here is the Activescan log:

Incident Status Location

Adware:adware/alwaysupdatednewsNo disinfected C:\WINDOWS\SYSTEM32\Free LapTop Computer.ico
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINTOOLSSVC
Adware:adware/novo No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\NOVO
Adware:adware/elitebar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM\IEBAR
Adware:adware/ncase No disinfected HKEY_CLASSES_ROOT\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}
Spyware:Spyware/XXXToolbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\80MT3MWF\prompt[1].html
Adware:Adware/nCase No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\init[1].js
Virus:Trj/LowZones.BB No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe[kans.reg]
Virus:Trj/LowZones.BB No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe[kansup.reg]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe[update.html]
Virus:Bck/Sdbot.DMJ Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\19F0.tmp
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4DD0F032-E250-4CEB-8D63-196E80\55BA582B-A898-47DF-AABD-8943AC
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\51CD04D7-AAB8-41B5-ACED-2A7525\53E9CE5B-3CA9-4C5F-A049-DE00F7
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\26CE59F8-205C-4BAD-990B-B74BBB
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\65D5C2C2-BEC4-45E6-94E0-65E541
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\E9EB05E4-E53C-4871-8DE2-CD6873
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7F55E021-1068-42EC-A00C-1D2670\361CA08B-6CE8-4D5D-A662-9BDB2D
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\7F55E021-1068-42EC-A00C-1D2670\6C337A62-E857-4EE0-83AF-E2FAC2
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\6102DBCE-23FD-430B-95C6-3D2671
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\C211BE3C-0C72-4F05-A4A9-7C1F77
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\D5624A9B-D882-4136-BF38-0B8B2E
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\F11E853F-2C55-4A60-929C-196226
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\FBFD8693-E86E-475E-8C88-FB3736
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EC67D9CB-8803-457B-84F5-9A498C\9D3FAF71-C2AF-4CE8-9DB9-4C9080
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EC67D9CB-8803-457B-84F5-9A498C\F3A6D67D-1B5C-495C-95D4-25AA87
Adware:Adware/BrilliantDigitalNo disinfected C:\RECYCLER\S-1-5-21-3825228898-315636210-488748980-1003\Dc2\bdcore.dll
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-3825228898-315636210-488748980-1003\Dc3\How To Uninstall.lnk
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-3825228898-315636210-488748980-1003\Dc3\UCmore Tour.lnk
Spyware:Spyware/ISTbar No disinfected C:\temp\update.html
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\i

...and here is the Startuplist:

StartupList report, 8/1/2005, 11:31:06 PM
StartupList version: 1.52.2
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\desktop\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
S3TRAY2 = S3tray2.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
nwiz = nwiz.exe /install
KBD = C:\HP\KBD\KBD.EXE
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SM1BG = C:\WINDOWS\SM1BG.EXE
MimBoot = C:\Program Files\MusicMatch\MusicMatch Jukebox\mimboot.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent = "c:\Program Files\Microsoft Money\System\Money Express.exe"
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[MPChWrapper.Util]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MPChWrapper.dll
CODEBASE = http://instantsuppor...MPChWrapper.CAB

[AimSp32 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\aimsp32.dll
CODEBASE = http://makeover.subs...ve/makeover.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1117517844765

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...7846.8831018519

[Toontown Installer ActiveX Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ttinst.dll
CODEBASE = http://download.toon....3.1/ttinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[{FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0}]
CODEBASE = http://download.spys...rCabInstall.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
AOL Instant Messanger: "C:\WINDOWS\aim.exe" (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD AGP Bus Filter Driver: System32\DRIVERS\amdagp.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVSync Manager: "C:\Program Files\Network Associates\VirusScan\avsynmgr.exe" (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\desktop\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\desktop\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\desktop\ewido\security suite\ewidoguard.exe (disabled)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FREEDOM Miniport: System32\DRIVERS\FREEDOM.SYS (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
iMSPQMn: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\iMSPQMn.sys (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
McShield: "C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Workstation Service Library: "C:\WINDOWS\wkssvc.exe" (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse Hardware Sync: C:\WINDOWS\System32\mousehs.exe (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NaiFiltr: \??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys (manual start)
NaiFsRec: System32\drivers\NaiFsRec.sys (system)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MD Simple Burner Service: C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe (autostart)
Net MD: System32\Drivers\NETMDUSB.sys (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Virtual NIC Service: C:\WINDOWS\System32\PackethSvc.exe (autostart)
PACSPTISVR: C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
rdriv: \??\C:\WINDOWS\System32\rdriv.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Client: C:\WINDOWS\System32\rpcclient.exe (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
S3SavageNB: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Sony SPTI Service: C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
USB Dual-mode Camera: system32\drivers\STV680.sys (manual start)
USB Dual-mode Cameram: system32\drivers\STV680m.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{9BC5B651-952C-4947-AC46-563D2749C8A0} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Network Driver: System32\DRIVERS\wandrv.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Process Moniter: "C:\WINDOWS\winmon.exe" (disabled)
Winkgk: C:\WINDOWS\System32\Winkgk.exe (disabled)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

igfsta = C:\WINDOWS\System32\igfsta.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,685 bytes
Report generated in 0.171 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks SO much, Excal! Don't give up on me!
Dimmae
  • 0

#39
Excal
Posted 02 August 2005 - 08:13 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Dimmae,

lol, i won't give up on you :tazz:

Please remove the following folders and files using Windows Explorer (if present):

C:\WINDOWS\SYSTEM32\i
C:\WINDOWS\SYSTEM32\Free LapTop Computer.ico

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme3.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_WINTOOLSSVC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\NOVO]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM\IEBAR]

[-HKEY_CLASSES_ROOT\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}]



Locate fixme3.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

reboot.

I think you should clean your registry out a bit:
  • Please dowload: RegSeeker.
  • Click on "Clean The Registry" in the left panel.
  • Check all boxes (make sure the backup box in the lower left corner is selected!).
  • After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
  • Click "Quit RegSeeker".
Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. When RegSeeker finds nothing else, then it's clean!

after your registry is clean, please do the following:

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C:\WINDOWS\system32
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
  • 0

#40
Dimmae
Posted 02 August 2005 - 10:25 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:tazz: Ok, Excal - I'll try to get all that done tonight. Just a question, though...I downloaded mwav per your instructions some time ago (Actually you said to go get something else, but the link took me to mwav). I downloaded mwav to my desktop and it's still there, but it would not run. I got an error message that said it was "not a valid Win32 application". Am I going to get that error again?

Thanks,
Dimmae
  • 0

Advertisements

#41
Excal
Posted 02 August 2005 - 10:49 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I had to look to remember...lol, but I did not have you download this before. It should not give you any error.


Thanks,


Excal
  • 0

#42
Dimmae
Posted 02 August 2005 - 04:43 PM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:tazz: Back on 7/13 you sent me to a site to run an online "escan", but there was no "escan"...instead I found "mwav". I tried mwav, but my PC didn't let me execute it (see my reply on 7/14), telling me that it was "not a valid Win32 application". No worries - I'll follow your link, download it and run it and tell you how it goes.

Thanks, Excal!
Dimmae
  • 0

#43
Excal
Posted 03 August 2005 - 12:11 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
ok Dimmae, i will be waiting. Thanks for letting me know about that link, i will double check it.

:tazz:

Excal
  • 0

#44
Dimmae
Posted 03 August 2005 - 08:35 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:tazz: Finally finished this morning, Excal. Everything went well except that there was no file OR folder named "i", so I couldn't delete that. Here is the text from the bottom window of the mwav scan:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BonziBuddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AdRotator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\logo.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\scribble.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\dot.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\mnature.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\hoverbot.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\will.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\powerpup.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\genius.act". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\AOL_Client.AOL_Client.1" refers to invalid object "{225789FB-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientCommands.AOL_ClientCommands.1" refers to invalid object "{BB4AEB43-D0AB-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientDevice.AOL_ClientDevice.1" refers to invalid object "{225789FD-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientDeviceDB.AOL_ClientDeviceDB.1" refers to invalid object "{22578A01-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientLocality.AOL_ClientLocality.1" refers to invalid object "{22578A03-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientLocalityDB.AOL_ClientLocalityDB.1" refers to invalid object "{22578A05-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientLocalityGroup.AOL_ClientLocalityGroup.1" refers to invalid object "{22578A07-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientPhoneDB.AOL_ClientPhoneDB.1" refers to invalid object "{22578A09-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientPhoneList.AOL_ClientPhoneList.1" refers to invalid object "{22578A0B-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientPhoneNum.AOL_ClientPhoneNum.1" refers to invalid object "{22578A0D-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\AOL_ClientSystem.AOL_ClientSystem.1" refers to invalid object "{22578A0F-CCA8-11D2-A719-0060B0B41584}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.Base64" refers to invalid object "{957766A8-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.DES56" refers to invalid object "{957766AD-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.FileAccess" refers to invalid object "{957766B3-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.Hexadecimal" refers to invalid object "{957766B5-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.RC2" refers to invalid object "{957766B1-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.RC4" refers to invalid object "{957766AF-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\ARCryptoLib.SHA1" refers to invalid object "{957766AB-14CE-11D2-95CA-0000B43369D3}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CddbDisc" refers to invalid object "{fba38bcf-e23d-4979-811e-1326bbadb8c8}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CddbDisc.1" refers to invalid object "{fba38bcf-e23d-4979-811e-1326bbadb8c8}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CddbFullName.1" refers to invalid object "{d4387178-98ca-4929-b8e3-a11cd2f333a6}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CddbTrackManager" refers to invalid object "{43918f8f-f3be-4760-b4bb-6c89d9d91487}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CddbTrackManager.1" refers to invalid object "{43918f8f-f3be-4760-b4bb-6c89d9d91487}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CDDBWinampControl" refers to invalid object "{44b09a5f-5dee-4539-8001-d4b2d45c2876}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.CDDBWinampControl.1" refers to invalid object "{44b09a5f-5dee-4539-8001-d4b2d45c2876}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlWinamp.FullName" refers to invalid object "{d4387178-98ca-4929-b8e3-a11cd2f333a6}". Action Taken: No Action Taken.
Entry "HKCR\CDDBUIControlWinamp.CddbWinampUI" refers to invalid object "{96632d1e-f3eb-4f54-ba79-9969692db659}". Action Taken: No Action Taken.
Entry "HKCR\CDDBUIControlWinamp.CddbWinampUI.1" refers to invalid object "{96632d1e-f3eb-4f54-ba79-9969692db659}". Action Taken: No Action Taken.
Entry "HKCR\CmdLineExt.CmdLineContextMenu" refers to invalid object "{9869EFB4-18E9-11D3-A837-00104B9E30B5}". Action Taken: No Action Taken.
Entry "HKCR\CmdLineExt.CmdLineContextMenu.1" refers to invalid object "{9869EFB4-18E9-11D3-A837-00104B9E30B5}". Action Taken: No Action Taken.
Entry "HKCR\DARef.DARef" refers to invalid object "{97D6D376-23BB-11D1-A0E1-00C04FC9E20F}". Action Taken: No Action Taken.
Entry "HKCR\DARef.DARef.9" refers to invalid object "{97D6D376-23BB-11D1-A0E1-00C04FC9E20F}". Action Taken: No Action Taken.
Entry "HKCR\DPDataView.DPDVEvt" refers to invalid object "{DB6E8F48-FD3E-11D0-A0BC-00C04FC9E20F}". Action Taken: No Action Taken.
Entry "HKCR\DPDataView.DPDVEvt.9" refers to invalid object "{DB6E8F48-FD3E-11D0-A0BC-00C04FC9E20F}". Action Taken: No Action Taken.
Entry "HKCR\EDisk2.MgEdisk" refers to invalid object "{340A0150-9DC7-11D3-9A01-005004677EF4}". Action Taken: No Action Taken.
Entry "HKCR\EDisk2.MgEdisk.1" refers to invalid object "{340A0150-9DC7-11D3-9A01-005004677EF4}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.com.Agent.PingObj" refers to invalid object "{A30C94ED-ED1D-4cd9-931B-032481FED884}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.com.MCVSScan.1" refers to invalid object "{B793DE5F-29C9-440c-A9E2-4644145DDD3D}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.com.VsoUpd.UpdateHelper" refers to invalid object "{6950611A-E2CF-421f-88C3-61C27A3832C5}". Action Taken: No Action Taken.
Entry "HKCR\Mccomctl.McDrives" refers to invalid object "{28E74E8D-7B99-4486-AE32-11B67F93B54B}". Action Taken: No Action Taken.
Entry "HKCR\Mccomctl.McDrives.1" refers to invalid object "{28E74E8D-7B99-4486-AE32-11B67F93B54B}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcapphelper" refers to invalid object "{D2D8D3C0-C750-4703-A6AD-75D6B578FFE6}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcapphelper.1" refers to invalid object "{D2D8D3C0-C750-4703-A6AD-75D6B578FFE6}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcfilesystem" refers to invalid object "{5940894F-4BA9-4FAC-ACFD-2F56F7CE0E3B}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcfilesystem.1" refers to invalid object "{5940894F-4BA9-4FAC-ACFD-2F56F7CE0E3B}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcinstaller" refers to invalid object "{36C417C6-13C6-448B-9784-DD73A93B0582}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcinstaller.1" refers to invalid object "{36C417C6-13C6-448B-9784-DD73A93B0582}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcos" refers to invalid object "{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcos.1" refers to invalid object "{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcregistry" refers to invalid object "{4C29D864-C55A-46DD-865C-17A1B7CC1A1A}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcregistry.1" refers to invalid object "{4C29D864-C55A-46DD-865C-17A1B7CC1A1A}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcshell" refers to invalid object "{CA145D71-4BCB-461D-BCBE-C01C42867380}". Action Taken: No Action Taken.
Entry "HKCR\mcinstall.mcshell.1" refers to invalid object "{CA145D71-4BCB-461D-BCBE-C01C42867380}". Action Taken: No Action Taken.
Entry "HKCR\MicrosoftWorks.Calendar" refers to invalid object "{9DB6C03C-C511-11D2-A9AE-00C04F72DAEB}". Action Taken: No Action Taken.
Entry "HKCR\MicrosoftWorks.Calendar.5" refers to invalid object "{9DB6C03C-C511-11D2-A9AE-00C04F72DAEB}". Action Taken: No Action Taken.
Entry "HKCR\MicrosoftWorks.Launcher.WksSvc" refers to invalid object "{597624C4-BBDB-11D2-A65D-00C04F72E035}". Action Taken: No Action Taken.
Entry "HKCR\MicrosoftWorks.Launcher.WksSvc.5" refers to invalid object "{597624C4-BBDB-11D2-A65D-00C04F72E035}". Action Taken: No Action Taken.
Entry "HKCR\OWC.Chart" refers to invalid object "{0002E500-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.Chart.9" refers to invalid object "{0002E500-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.DataSourceControl" refers to invalid object "{0002E530-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.DataSourceControl.9" refers to invalid object "{0002E530-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.ExpandControl" refers to invalid object "{0002E532-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.ExpandControl.9" refers to invalid object "{0002E532-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.FieldList" refers to invalid object "{4C85388F-1500-11D1-A0DF-00C04FC9E20F}". Action Taken: No Action Taken.
Entry "HKCR\OWC.FieldList.9" refers to invalid object "{4C85388F-1500-11D1-A0DF-00C04FC9E20F}". Action Taken: No Action Taken.
Entry "HKCR\OWC.PivotTable" refers to invalid object "{0002E520-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.PivotTable.9" refers to invalid object "{0002E520-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.RecordNavigationControl" refers to invalid object "{0002E531-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.RecordNavigationControl.9" refers to invalid object "{0002E531-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.Spreadsheet" refers to invalid object "{0002E510-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\OWC.Spreadsheet.9" refers to invalid object "{0002E510-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.InfoWindow" refers to invalid object "{56336BCA-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.InfoWindow.1" refers to invalid object "{56336BCA-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\WDMHHost.WTHoster" refers to invalid object "{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}". Action Taken: No Action Taken.
Entry "HKCR\WDMHHost.WTHoster.1" refers to invalid object "{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WT.WTMultiplayer" refers to invalid object "{0c097121-c5d6-47eb-841d-30bff71a71c4}". Action Taken: No Action Taken.
Entry "HKCR\WT.WTMultiplayer.1" refers to invalid object "{0c097121-c5d6-47eb-841d-30bff71a71c4}". Action Taken: No Action Taken.
Entry "HKCR\WT3D.WT" refers to invalid object "{FA13A9FA-CA9B-11D2-9780-00104B242EA3}". Action Taken: No Action Taken.
Entry "HKCR\WT3D.WT.1" refers to invalid object "{FA13A9FA-CA9B-11D2-9780-00104B242EA3}". Action Taken: No Action Taken.
Entry "HKCR\Wtlaunch.WThl0fc939801bac437881a2ac8aa51f427e" refers to invalid object "{0fc93980-1bac-4378-81a2-ac8aa51f427e}". Action Taken: No Action Taken.
Entry "HKCR\Wtlaunch.WThl0fc939801bac437881a2ac8aa51f427e.1" refers to invalid object "{0fc93980-1bac-4378-81a2-ac8aa51f427e}". Action Taken: No Action Taken.
Entry "HKCR\Wtlaunch.WThl6c03c7894f5143e6b1d5f27e29311396" refers to invalid object "{6c03c789-4f51-43e6-b1d5-f27e29311396}". Action Taken: No Action Taken.
Entry "HKCR\Wtlaunch.WThl6c03c7894f5143e6b1d5f27e29311396.1" refers to invalid object "{6c03c789-4f51-43e6-b1d5-f27e29311396}". Action Taken: No Action Taken.
Entry "HKCR\WTVis.WTVisReceiver" refers to invalid object "{7F23E6E5-0E79-4aee-B723-B1463805D5A9}". Action Taken: No Action Taken.
Entry "HKCR\WTVis.WTVisReceiver.1" refers to invalid object "{7F23E6E5-0E79-4aee-B723-B1463805D5A9}". Action Taken: No Action Taken.
Entry "HKCR\WTVis.WTVisSender" refers to invalid object "{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}". Action Taken: No Action Taken.
Entry "HKCR\WTVis.WTVisSender.1" refers to invalid object "{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\winmon.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\80MT3MWF\prompt[1].html infected by "Trojan-Downloader.JS.IstBar.j" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9UBQL1UC\lgs[1].exe infected by "Trojan.WinREG.LowZones.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\01A8F60B-3AC8-467A-90B6-3661F3\3171A928-606F-4216-8A65-AC739F infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\01A8F60B-3AC8-467A-90B6-3661F3\A96FFA3D-DCF1-4FFB-8597-D1A995 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\4DD0F032-E250-4CEB-8D63-196E80\55BA582B-A898-47DF-AABD-8943AC tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\51CD04D7-AAB8-41B5-ACED-2A7525\53E9CE5B-3CA9-4C5F-A049-DE00F7 tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\26CE59F8-205C-4BAD-990B-B74BBB tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\65D5C2C2-BEC4-45E6-94E0-65E541 tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\779989FF-6672-44B3-B772-7D665A\E9EB05E4-E53C-4871-8DE2-CD6873 tagged as "not-a-virus:AdWare.180Solutions.j". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\7F55E021-1068-42EC-A00C-1D2670\361CA08B-6CE8-4D5D-A662-9BDB2D tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\7F55E021-1068-42EC-A00C-1D2670\6C337A62-E857-4EE0-83AF-E2FAC2 tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\6102DBCE-23FD-430B-95C6-3D2671 tagged as "not-a-virus:AdWare.SurfSide.n". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\C211BE3C-0C72-4F05-A4A9-7C1F77 infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\D5624A9B-D882-4136-BF38-0B8B2E infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\F11E853F-2C55-4A60-929C-196226 tagged as "not-a-virus:AdWare.SurfSide.l". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\85B5EA3B-4F51-4EF9-BA9F-1AE198\FBFD8693-E86E-475E-8C88-FB3736 infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\E1E3C34C-DF31-4E51-8206-8C0246\ABB1DA41-5273-4125-B9B9-3BC127 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\E1E3C34C-DF31-4E51-8206-8C0246\C35DC280-DFED-4381-862B-CC6D69 infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\EC67D9CB-8803-457B-84F5-9A498C\9D3FAF71-C2AF-4CE8-9DB9-4C9080 tagged as "not-a-virus:AdWare.SurfSide.n". Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\EC67D9CB-8803-457B-84F5-9A498C\F3A6D67D-1B5C-495C-95D4-25AA87 tagged as "not-a-virus:AdWare.SurfSide.l". Action Taken: No Action Taken.
File C:\Program Files\Netscape\Netscape\plugins\npzango.dll tagged as "not-a-virus:AdWare.WinAD.be". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP200\A0011854.exe infected by "Trojan-Downloader.Win32.QDown.v" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP202\A0011905.EXE tagged as "not-a-virus:AdWare.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP217\A0013521.exe tagged as "not-a-virus:AdWare.WinAD". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP217\A0013524.dll infected by "Virus.Win32.Porad.a" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP217\A0013528.dll infected by "Virus.Win32.Porad.a" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP227\A0015713.dll infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP229\A0016748.dll infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP246\A0018544.exe infected by "Trojan-Dropper.Win32.ExeBinder.e" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP249\A0020614.exe infected by "Trojan-Dropper.Win32.ExeBinder.e" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP250\A0020640.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP250\A0020652.exe tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP252\A0020883.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP252\A0021941.exe tagged as "not-a-virus:AdWare.ClearSearch.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021950.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021951.exe tagged as "not-a-virus:AdWare.Sahat.ag". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021952.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021953.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021954.dll tagged as "not-a-virus:AdWare.SurfSide.l". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021955.dll tagged as "not-a-virus:AdWare.SurfSide.n". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021956.exe tagged as "not-a-virus:AdWare.ToolBar.Ucmore.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021958.exe tagged as "not-a-virus:AdWare.Sahat.ah". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021959.exe tagged as "not-a-virus:AdWare.SmartPops.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021960.dll tagged as "not-a-virus:AdWare.SmartPops.d". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021962.exe tagged as "not-a-virus:AdWare.ClearSearch.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021976.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021978.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021979.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021986.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021988.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021989.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021996.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021998.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0021999.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0022996.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0022998.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0022999.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023007.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023009.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023010.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023017.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023019.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023020.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023027.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023029.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP255\A0023030.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0023048.DLL tagged as "not-a-virus:AdWare.ClaerSearch.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0023050.DLL tagged as "not-a-virus:AdWare.ClaerSearch.ab". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0023055.dll tagged as "not-a-virus:AdWare.ClearSearch.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0023056.exe tagged as "not-a-virus:AdWare.ClearSearch.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0023058.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0023059.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP256\A0025082.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0025095.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0025098.exe infected by "Trojan.WinREG.LowZones.f" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0025103.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0026103.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0026110.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0026119.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0026127.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0026139.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0026146.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0027146.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP257\A0028170.exe tagged as "not-a-virus:AdWare.WinAD.be". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0036238.exe infected by "Trojan-Proxy.Win32.Ranky.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0036242.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0036244.exe infected by "Trojan-Proxy.Win32.Ranky.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0036245.exe infected by "Backdoor.Win32.Codbot.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0036246.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038253.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038254.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038255.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038256.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038257.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038258.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038259.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038260.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038261.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038262.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038263.exe tagged as "not-a-virus:AdWare.WinAD.e". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038264.exe tagged as "not-a-virus:AdWare.WeirWeb.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038265.exe infected by "Trojan.WinREG.LowZones.f" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038266.exe infected by "Trojan.WinREG.LowZones.f" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP262\A0038274.exe infected by "Backdoor.Win32.SdBot.xd" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP263\A0040288.exe infected by "Backdoor.Win32.SdBot.xd" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP263\A0040289.exe infected by "Backdoor.Win32.SdBot.xd" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP263\A0040290.exe infected by "Backdoor.Win32.SdBot.xd" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\winmon.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\winmon.sys infected by "Backdoor.Win32.SdBot.zo" Virus! Action Taken: No Action Taken.

Pluggin' along...thanks.
Dimmae
  • 0

#45
Dimmae
Posted 03 August 2005 - 08:40 AM

Dimmae

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Oh - in case you wondered, the D: drive on my PC is a flash stick...didn't remove it prior to the scan. I have I have been downloading some of the programs you need me to run from work...it's much faster than doing it at home on dial-up, so I have several adware removal files on there... :tazz:

Thanks,
Dimmae
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP