Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan.desktophijack and related [resolved]

Started by glennc007 , Jul 07 2005 03:22 PM

This topic is locked

#46
g2i2r4

Posted 18 July 2005 - 03:30 PM

retired HiJack Helper

Retired Staff
5,080 posts

Can you rerun Panda for me?

#47
glennc007

Posted 18 July 2005 - 03:37 PM

Member

Topic Starter
Member
41 posts

Jotti found nothing in the new wininet.dll

Tried to run silent runners, but after double click, cursor becomes hourglass + pointer for a second, then nothing happens.

#48
glennc007

Posted 18 July 2005 - 03:41 PM

Member

Topic Starter
Member
41 posts

OK. running panda now. I might have to take off before it finishes, in which case I'll post first thing tomorrow AM (i'm in philadelphia USA).

Thanks for continuing to work with me to fix this. I'm hoping we're getting close now.....

#49
g2i2r4

Posted 18 July 2005 - 03:50 PM

retired HiJack Helper

Retired Staff
5,080 posts

I'm in Europe (23.50 here now, sleepytime :tazz:

). I'll see if I can take a peek during the day, but will be back around 19.00 tomorrow.

#50
glennc007

Posted 18 July 2005 - 04:02 PM

Member

Topic Starter
Member
41 posts

Panda Titanium Antivirus 2005 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 07/18/05 17:58:37 Scan: All My Computer
Virus detected: VBS/Psyme.C 07/18/05 17:44:41 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1]_CHM.vir
Virus detected: VBS/Psyme.C 07/18/05 17:44:41 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1]_CHM.vir[track9.htm]
Virus detected: VBS/Psyme.C 07/18/05 17:44:36 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1]_CHM.vir
Virus detected: VBS/Psyme.C 07/18/05 17:44:36 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1]_CHM.vir[track6.htm]
Adware detected: Adware/EasySearch 07/18/05 17:44:23 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\index[1].chm[index.exe]
Virus detected: VBS/Psyme.C 07/18/05 17:44:21 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1]_CHM.vir
Virus detected: VBS/Psyme.C 07/18/05 17:44:21 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1]_CHM.vir[track9.htm]
Scan started 07/18/05 17:39:04 Scan: All My Computer
Script execution 07/18/05 17:35:46 Blocked File: C:\Documents and Settings\Sean\Desktop\Silent Runners.vbs
Script execution 07/18/05 17:34:48 Blocked File: C:\Silent Runners.vbs
Script execution 07/18/05 17:34:19 Blocked File: C:\Silent Runners.vbs
Connection attempt 07/18/05 17:04:03 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:53:32 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:32:15 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:31:03 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:17:19 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/15/05 10:14:11 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 17:14:09 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 16:27:38 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 14:49:37 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 11:05:54 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/12/05 17:26:19 Blocked Source IP address: 192.168.1.101
Connection attempt 07/12/05 17:26:10 Blocked Source IP address: 192.168.1.101
Scan completed 07/12/05 17:01:55 Scan: All My Computer
Virus detected: Trj/Qoologic.D 07/12/05 17:01:53 Disinfected Location: C:\WINDOWS\system32\zpxbgrz.dll
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:50 Disinfected Location: C:\WINDOWS\system32\weird.exe
Adware detected: Adware/AdBehavior 07/12/05 17:01:46 Eliminated Location: C:\WINDOWS\system32\urkvn.dll
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:41 Disinfected Location: C:\WINDOWS\system32\uci.exe
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:39 Disinfected Location: C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
Adware detected: Adware/AdBehavior 07/12/05 17:01:31 Eliminated Location: C:\WINDOWS\system32\pquyv.dat
Adware detected: Adware/DownloadWare 07/12/05 17:00:46 Eliminated Location: C:\WINDOWS\system32\cdapp\phblgjsmiu.exe
Adware detected: Adware/Novo 07/12/05 17:00:43 Eliminated Location: C:\WINDOWS\system32\cdapp\phblgjsmiu.dll
Virus detected: Trj/Clicker.FV 07/12/05 17:00:34 Disinfected Location: C:\WINDOWS\system\ugmgoe.exe
Spyware detected: Spyware/BetterInet 07/12/05 17:00:33 Eliminated Location: C:\WINDOWS\system\QBUninstaller.exe
Adware detected: Adware/AdBehavior 07/12/05 17:00:16 Eliminated Location: c:\windows\system32\rkaump.exe
Adware detected: Adware/BookedSpace 07/12/05 17:00:10 Eliminated Location: C:\WINDOWS\ldzpgsif.exe
Adware detected: Adware/AdBehavior 07/12/05 17:00:04 Eliminated Location: c:\windows\system32\rekcuir.dll
Virus detected: W32/Smitfraud.A 07/12/05 16:58:57 Disinfected Location: C:\RECYCLER\S-1-5-21-825722390-3549862705-862503612-500\Dc1.dll
Virus detected: Trj/Qoologic.F 07/12/05 16:58:11 Disinfected Location: c:\windows\system32\pcmqd.dll
Adware detected: Adware/EliteBar 07/12/05 16:57:56 Eliminated Location: C:\Program Files\sdf.exe
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:54:07 Eliminated Location: C:\Program Files\CasStub\casstub.exe
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:54:07 Eliminated Location: C:\Program Files\Cas\Client\Uninstall.exe
Virus detected: Trj/Downloader.BJG 07/12/05 16:48:03 Disinfected Location: c:\windows\system32\leisureboxinst_ppi1a.exe
Spyware detected: Spyware/BargainBuddy 07/12/05 16:47:42 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\V6O77TGD\marketing32[1].htm
Adware detected: Adware/Apropos 07/12/05 16:47:36 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\V6O77TGD\auto_update[1]
Adware detected: Adware/Pacimedia 07/12/05 16:47:31 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\trk_0009[1].exe
Adware detected: Adware/Pacimedia 07/12/05 16:47:26 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\pcs_0009[1].exe
Virus detected: Trj/Multidropper.AOT 07/12/05 16:47:20 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\dropper[1].chm
Adware detected: Adware/Look2Me 07/12/05 16:47:13 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\Q7WFEH61\nsh_118[1].exe
Adware detected: Adware/TopConvert 07/12/05 16:47:00 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\website[1].ocx
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:54 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\marketing32[1].htm
Virus detected: Exploit/URLSpoof 07/12/05 16:46:47 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\%68%70[1][Content]
Virus detected: VBS/Psyme.C 07/12/05 16:46:47 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1].CHM[track9.htm]
Virus detected: VBS/Psyme.C 07/12/05 16:46:47 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1].CHM
Virus detected: Exploit/URLSpoof 07/12/05 16:46:47 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\%68%70[2]
Adware detected: Adware/Look2Me 07/12/05 16:46:46 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\nsh_115[1].exe
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:41 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\marketing32[1].htm
Virus detected: Exploit/Mhtredir.gen 07/12/05 16:46:34 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\CA85WX4J.HTM
Virus detected: VBS/Psyme.C 07/12/05 16:46:28 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1].CHM[track6.htm]
Virus detected: VBS/Psyme.C 07/12/05 16:46:28 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1].CHM
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:26 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\marketing32[1].htm
Adware detected: Adware/Apropos 07/12/05 16:46:19 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\auto_update[1]
Adware detected: Adware/Pacimedia 07/12/05 16:46:09 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\trk_0006[1].exe
Adware detected: Adware/Pacimedia 07/12/05 16:46:03 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\pcs_0006[1].exe
Adware detected: Adware/EasySearch 07/12/05 16:45:58 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\index[1].chm[index.exe]
Spyware detected: Spyware/Media-motor 07/12/05 16:45:57 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\diamond[1].cab
Adware detected: Adware/Pacimedia 07/12/05 16:45:51 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\trk_0009[1].exe
Virus detected: Exploit/URLSpoof 07/12/05 16:45:51 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\%68%70[4]
Virus detected: VBS/Psyme.C 07/12/05 16:45:46 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1].CHM
Virus detected: VBS/Psyme.C 07/12/05 16:45:46 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1].CHM[track9.htm]
Spyware detected: Spyware/BargainBuddy 07/12/05 16:45:44 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\marketing32[1].htm
Spyware detected: Spyware/BetterInet 07/12/05 16:45:37 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\banner[1].cab[banner.dll]
Spyware detected: Spyware/BetterInet 07/12/05 16:45:37 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\banner[1].cab[banner.inf]
Spyware detected: Spyware/SafeSurf 07/12/05 16:45:21 Eliminated Location: c:\windows\system32\installerv3.exe
Virus detected: W32/Smitfraud.A 07/12/05 16:41:40 Disinfected Location: C:\Documents and Settings\Administrator\My Documents\wininet.OLD
Spyware detected: Cookie/Zedo 07/12/05 16:41:26 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@zedo[1].txt
Spyware detected: Cookie/Adserver 07/12/05 16:41:26 Eliminated Location: C:\Documents and Settings\Sean\Cookies\[email protected][1].txt
Spyware detected: Cookie/SpyLog 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@spylog[1].txt
Spyware detected: Cookie/Paypopup 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@paypopup[1].txt
Spyware detected: Cookie/Overture 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@overture[1].txt
Spyware detected: Cookie/Enhance 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\[email protected][1].txt
Spyware detected: Cookie/Azjmp 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@azjmp[2].txt
Spyware detected: Cookie/adultfriendfinder 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@adultfriendfinder[1].txt
Spyware detected: Cookie/YieldManager 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\[email protected][2].txt
Spyware detected: Cookie/QuestionMarket 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@questionmarket[1].txt
Spyware detected: Cookie/Overture 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\[email protected][1].txt
Spyware detected: Cookie/Belnk 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\[email protected][2].txt
Adware detected: Adware/PsGuard 07/12/05 16:41:22 Eliminated Location: C:\Documents and Settings\Sean\Application Data\PSGuard.com
Adware detected: Adware/BigTrafficNet 07/12/05 16:41:16 Eliminated Location: C:\WINDOWS\System32\nsi4C.dll
Adware detected: Adware/Novo 07/12/05 16:41:07 Eliminated Location: Windows Registry
Adware detected: Adware/XmlLib 07/12/05 16:41:03 Eliminated Location: Windows Registry
Adware detected: Adware/BlueScreenWarning 07/12/05 16:40:56 Eliminated Location: Windows Registry
Scan started 07/12/05 16:39:48 Scan: All My Computer
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:33:59 Eliminated Location: c:\windows\system32\dist001.exe
Adware detected: Adware/DealHelper 07/12/05 16:31:44 Eliminated Location: c:\windows\system32\chdboo.exe
Virus detected: Trj/Qoologic.E 07/12/05 16:30:54 Disinfected Location: c:\windows\system32\bcaqomb.exe
Adware detected: Adware/Look2Me 07/12/05 16:29:55 Eliminated Location: c:\windows\system32\adlinstallwin32.exe
Adware detected: Adware/Hotoffers 07/12/05 16:26:51 Eliminated Location: c:\windows\system32\guninst.exe
Update 07/12/05 16:26:13 OK New virus signatures: 7581

#51
glennc007

Posted 19 July 2005 - 09:28 AM

Member

Topic Starter
Member
41 posts

I took a little initiative. I hope I didn't screw things up more. Navigating through DOS in safe mode, I deleted the contents of the infected temporary internet files folders indicated in the Panda scan. I then reran Panda again. The scan came up clean. Unfortunately, I still have the blue screen and the desktop remains seemingly non-functional.

Pls advise on where we go from here.

Thanks.

#52
glennc007

Posted 19 July 2005 - 10:49 AM

Member

Topic Starter
Member
41 posts

So, then I ran ewido in safe mode. Here is the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:41:15 PM, 7/19/2005
+ Report-Checksum: EF3F1FD1

+ Scan result:

C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP550\A0063788.exe -> Trojan.LowZones.bn : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP550\A0063789.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP550\A0063790.exe -> Trojan.Agent.fl : Cleaned with backup

::Report End

#53
g2i2r4

Posted 19 July 2005 - 12:36 PM

retired HiJack Helper

Retired Staff
5,080 posts

Wow, hold your horses!

I have a cleaning program for you to clean out the temp files all over the disk. Please be very carefull what you do. It's still an infected machine. We don't want it to stop functioning all together.

Can you use your infected computer in normal mode and in safe mode?

Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

#54
glennc007

Posted 19 July 2005 - 02:05 PM

Member

Topic Starter
Member
41 posts

OK. Sorry, I'm getting antsy for this to work already.

I can use it in normal mode and safe mode, but I must run everything from task manager.

I ran the display applet using control desk.cpl from the run line. The security info box was not present.

#55
g2i2r4

Posted 19 July 2005 - 02:26 PM

retired HiJack Helper

Retired Staff
5,080 posts

Can you tell me what you see under 'web'? Is there a 'restore defaults'?

#56
g2i2r4

Posted 19 July 2005 - 02:33 PM

retired HiJack Helper

Retired Staff
5,080 posts

I keep seeing a qoologic sign. That could be what's keeping us from cleaning up properly.

Do you mind running the revised tool?

Please Download the following tools to assist us in removing this infection!

Download WinPFind
- Right Click the Zip Folder and Select "Extract All"
- Extract it somewhere you will remember like the Desktop
- Dont do anything with it yet!
Download http://www.bleepingc...1/Trackqoo.zip]Track qoo[/url]
- Save it somewhere you will remember like the Desktop

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

#57
glennc007

Posted 19 July 2005 - 02:34 PM

Member

Topic Starter
Member
41 posts

No restore defaults. There is "New..." and "Synchronize" which are not shaded. Also 'lock desktop", which is currently unchecked.

#58
g2i2r4

Posted 19 July 2005 - 03:01 PM

retired HiJack Helper

Retired Staff
5,080 posts

Are you willing to run those tools? I think it just the other infection that's bugging us.

#59
glennc007

Posted 19 July 2005 - 03:01 PM

Member

Topic Starter
Member
41 posts

Ok:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic C:\071205 pandalog.txt
qoologic C:\071805 pandalog.txt
UPX! C:\cachefile0.sys
KavSvc C:\hijackthis.log
KavSvc C:\hijackthis2.txt
qoologic C:\panda 071905 AM.txt
qoologic C:\PANDA.RPT

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...
FSG! C:\WINDOWS\system32\Chdbook1.xml
PEC2 C:\WINDOWS\system32\dfrg.msc
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\QTFont.qfn
7/19/2005 C:\WINDOWS\system32\config\default.LOG
7/19/2005 C:\WINDOWS\system32\config\SAM.LOG
7/19/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/19/2005 C:\WINDOWS\system32\config\software.LOG
7/19/2005 C:\WINDOWS\system32\config\system.LOG
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2JMBQN85\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CGB9UWTH\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G5GRCT27\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KU87SJMD\desktop.ini
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4dab5f0f-9ed6-4a1f-bb1c-6f37b381c939
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/19/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9} = C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL
*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PROMon.exe
srmclean C:\Cpqs\Scom\srmclean.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

---------------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"CPQEASYACC"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"PROMon.exe"=""
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autoclose"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Titanium Antivirus 2005\\APVXDWIN.EXE\" /s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Compaq]
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}
C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100}
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL

Subkey --- StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467}
C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
Microsoft Office.lnk
==============================
C:\Documents and Settings\Sean\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
Microsoft Office.lnk
AVE122001_CD.exe
desktop.ini
PowerReg Scheduler V3.exe
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
ADPanel.cpl Iomega Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl130_02.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
PROSetp.cpl Intel Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
UICONFIG.cpl Compaq Computer Corporation

#60
g2i2r4

Posted 19 July 2005 - 04:18 PM

retired HiJack Helper

Retired Staff
5,080 posts

I must be overlooking something. I'll ask for some assistance.

Meanwhile,

Please RIGHT-CLICK:
here.
and go to Save As (in Internet Explorer it's "Save Target As") in order to download the taskmanagers repair tool. Save it to your desktop.

Locate "taskmanager_reset.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt.

That should help a bit.

Edited by g2i2r4, 19 July 2005 - 04:27 PM.