Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.desktophijack and related [resolved]


  • This topic is locked This topic is locked

#46
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you rerun Panda for me?
  • 0

Advertisements


#47
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Jotti found nothing in the new wininet.dll

Tried to run silent runners, but after double click, cursor becomes hourglass + pointer for a second, then nothing happens.
  • 0

#48
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. running panda now. I might have to take off before it finishes, in which case I'll post first thing tomorrow AM (i'm in philadelphia USA).

Thanks for continuing to work with me to fix this. I'm hoping we're getting close now.....
  • 0

#49
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I'm in Europe (23.50 here now, sleepytime :tazz: ). I'll see if I can take a peek during the day, but will be back around 19.00 tomorrow.
  • 0

#50
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Panda Titanium Antivirus 2005 incident report


EVENT DATE RESULTS ADDITIONAL INFORMATION
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 07/18/05 17:58:37 Scan: All My Computer
Virus detected: VBS/Psyme.C 07/18/05 17:44:41 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1]_CHM.vir
Virus detected: VBS/Psyme.C 07/18/05 17:44:41 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1]_CHM.vir[track9.htm]
Virus detected: VBS/Psyme.C 07/18/05 17:44:36 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1]_CHM.vir
Virus detected: VBS/Psyme.C 07/18/05 17:44:36 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1]_CHM.vir[track6.htm]
Adware detected: Adware/EasySearch 07/18/05 17:44:23 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\index[1].chm[index.exe]
Virus detected: VBS/Psyme.C 07/18/05 17:44:21 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1]_CHM.vir
Virus detected: VBS/Psyme.C 07/18/05 17:44:21 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1]_CHM.vir[track9.htm]
Scan started 07/18/05 17:39:04 Scan: All My Computer
Script execution 07/18/05 17:35:46 Blocked File: C:\Documents and Settings\Sean\Desktop\Silent Runners.vbs
Script execution 07/18/05 17:34:48 Blocked File: C:\Silent Runners.vbs
Script execution 07/18/05 17:34:19 Blocked File: C:\Silent Runners.vbs
Connection attempt 07/18/05 17:04:03 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:53:32 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:32:15 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:31:03 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/18/05 16:17:19 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/15/05 10:14:11 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 17:14:09 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 16:27:38 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 14:49:37 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/14/05 11:05:54 Blocked Application: C:\WINDOWS\system32\svchost.exe
Connection attempt 07/12/05 17:26:19 Blocked Source IP address: 192.168.1.101
Connection attempt 07/12/05 17:26:10 Blocked Source IP address: 192.168.1.101
Scan completed 07/12/05 17:01:55 Scan: All My Computer
Virus detected: Trj/Qoologic.D 07/12/05 17:01:53 Disinfected Location: C:\WINDOWS\system32\zpxbgrz.dll
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:50 Disinfected Location: C:\WINDOWS\system32\weird.exe
Adware detected: Adware/AdBehavior 07/12/05 17:01:46 Eliminated Location: C:\WINDOWS\system32\urkvn.dll
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:41 Disinfected Location: C:\WINDOWS\system32\uci.exe
Virus detected: Trj/Downloader.BJG 07/12/05 17:01:39 Disinfected Location: C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
Adware detected: Adware/AdBehavior 07/12/05 17:01:31 Eliminated Location: C:\WINDOWS\system32\pquyv.dat
Adware detected: Adware/DownloadWare 07/12/05 17:00:46 Eliminated Location: C:\WINDOWS\system32\cdapp\phblgjsmiu.exe
Adware detected: Adware/Novo 07/12/05 17:00:43 Eliminated Location: C:\WINDOWS\system32\cdapp\phblgjsmiu.dll
Virus detected: Trj/Clicker.FV 07/12/05 17:00:34 Disinfected Location: C:\WINDOWS\system\ugmgoe.exe
Spyware detected: Spyware/BetterInet 07/12/05 17:00:33 Eliminated Location: C:\WINDOWS\system\QBUninstaller.exe
Adware detected: Adware/AdBehavior 07/12/05 17:00:16 Eliminated Location: c:\windows\system32\rkaump.exe
Adware detected: Adware/BookedSpace 07/12/05 17:00:10 Eliminated Location: C:\WINDOWS\ldzpgsif.exe
Adware detected: Adware/AdBehavior 07/12/05 17:00:04 Eliminated Location: c:\windows\system32\rekcuir.dll
Virus detected: W32/Smitfraud.A 07/12/05 16:58:57 Disinfected Location: C:\RECYCLER\S-1-5-21-825722390-3549862705-862503612-500\Dc1.dll
Virus detected: Trj/Qoologic.F 07/12/05 16:58:11 Disinfected Location: c:\windows\system32\pcmqd.dll
Adware detected: Adware/EliteBar 07/12/05 16:57:56 Eliminated Location: C:\Program Files\sdf.exe
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:54:07 Eliminated Location: C:\Program Files\CasStub\casstub.exe
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:54:07 Eliminated Location: C:\Program Files\Cas\Client\Uninstall.exe
Virus detected: Trj/Downloader.BJG 07/12/05 16:48:03 Disinfected Location: c:\windows\system32\leisureboxinst_ppi1a.exe
Spyware detected: Spyware/BargainBuddy 07/12/05 16:47:42 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\V6O77TGD\marketing32[1].htm
Adware detected: Adware/Apropos 07/12/05 16:47:36 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\V6O77TGD\auto_update[1]
Adware detected: Adware/Pacimedia 07/12/05 16:47:31 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\trk_0009[1].exe
Adware detected: Adware/Pacimedia 07/12/05 16:47:26 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\pcs_0009[1].exe
Virus detected: Trj/Multidropper.AOT 07/12/05 16:47:20 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\QRABUDEX\dropper[1].chm
Adware detected: Adware/Look2Me 07/12/05 16:47:13 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\Q7WFEH61\nsh_118[1].exe
Adware detected: Adware/TopConvert 07/12/05 16:47:00 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\website[1].ocx
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:54 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\marketing32[1].htm
Virus detected: Exploit/URLSpoof 07/12/05 16:46:47 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\%68%70[1][Content]
Virus detected: VBS/Psyme.C 07/12/05 16:46:47 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1].CHM[track9.htm]
Virus detected: VBS/Psyme.C 07/12/05 16:46:47 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\TRACK9[1].CHM
Virus detected: Exploit/URLSpoof 07/12/05 16:46:47 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\C3TR22VP\%68%70[2]
Adware detected: Adware/Look2Me 07/12/05 16:46:46 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\nsh_115[1].exe
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:41 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\marketing32[1].htm
Virus detected: Exploit/Mhtredir.gen 07/12/05 16:46:34 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\BE8FZLOP\CA85WX4J.HTM
Virus detected: VBS/Psyme.C 07/12/05 16:46:28 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1].CHM[track6.htm]
Virus detected: VBS/Psyme.C 07/12/05 16:46:28 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\TRACK6[1].CHM
Spyware detected: Spyware/BargainBuddy 07/12/05 16:46:26 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\marketing32[1].htm
Adware detected: Adware/Apropos 07/12/05 16:46:19 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\8ZT7U6JP\auto_update[1]
Adware detected: Adware/Pacimedia 07/12/05 16:46:09 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\trk_0006[1].exe
Adware detected: Adware/Pacimedia 07/12/05 16:46:03 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\pcs_0006[1].exe
Adware detected: Adware/EasySearch 07/12/05 16:45:58 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\index[1].chm[index.exe]
Spyware detected: Spyware/Media-motor 07/12/05 16:45:57 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\diamond[1].cab
Adware detected: Adware/Pacimedia 07/12/05 16:45:51 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\trk_0009[1].exe
Virus detected: Exploit/URLSpoof 07/12/05 16:45:51 Disinfected Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\2LXANI5G\%68%70[4]
Virus detected: VBS/Psyme.C 07/12/05 16:45:46 Renamed Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1].CHM
Virus detected: VBS/Psyme.C 07/12/05 16:45:46 Notified Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\TRACK9[1].CHM[track9.htm]
Spyware detected: Spyware/BargainBuddy 07/12/05 16:45:44 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\marketing32[1].htm
Spyware detected: Spyware/BetterInet 07/12/05 16:45:37 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\banner[1].cab[banner.dll]
Spyware detected: Spyware/BetterInet 07/12/05 16:45:37 Eliminated Location: C:\Documents and Settings\Sean\Local Settings\Temporary Internet Files\Content.IE5\012L456P\banner[1].cab[banner.inf]
Spyware detected: Spyware/SafeSurf 07/12/05 16:45:21 Eliminated Location: c:\windows\system32\installerv3.exe
Virus detected: W32/Smitfraud.A 07/12/05 16:41:40 Disinfected Location: C:\Documents and Settings\Administrator\My Documents\wininet.OLD
Spyware detected: Cookie/Zedo 07/12/05 16:41:26 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@zedo[1].txt
Spyware detected: Cookie/Adserver 07/12/05 16:41:26 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@z1.adserver[1].txt
Spyware detected: Cookie/SpyLog 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@spylog[1].txt
Spyware detected: Cookie/Paypopup 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@paypopup[1].txt
Spyware detected: Cookie/Overture 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@overture[1].txt
Spyware detected: Cookie/Enhance 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@c.enhance[1].txt
Spyware detected: Cookie/Azjmp 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@azjmp[2].txt
Spyware detected: Cookie/adultfriendfinder 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@adultfriendfinder[1].txt
Spyware detected: Cookie/YieldManager 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@ad.yieldmanager[2].txt
Spyware detected: Cookie/QuestionMarket 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@questionmarket[1].txt
Spyware detected: Cookie/Overture 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@perf.overture[1].txt
Spyware detected: Cookie/Belnk 07/12/05 16:41:25 Eliminated Location: C:\Documents and Settings\Sean\Cookies\sean@dist.belnk[2].txt
Adware detected: Adware/PsGuard 07/12/05 16:41:22 Eliminated Location: C:\Documents and Settings\Sean\Application Data\PSGuard.com
Adware detected: Adware/BigTrafficNet 07/12/05 16:41:16 Eliminated Location: C:\WINDOWS\System32\nsi4C.dll
Adware detected: Adware/Novo 07/12/05 16:41:07 Eliminated Location: Windows Registry
Adware detected: Adware/XmlLib 07/12/05 16:41:03 Eliminated Location: Windows Registry
Adware detected: Adware/BlueScreenWarning 07/12/05 16:40:56 Eliminated Location: Windows Registry
Scan started 07/12/05 16:39:48 Scan: All My Computer
Adware detected: Adware/ConsumerAlertSystem 07/12/05 16:33:59 Eliminated Location: c:\windows\system32\dist001.exe
Adware detected: Adware/DealHelper 07/12/05 16:31:44 Eliminated Location: c:\windows\system32\chdboo.exe
Virus detected: Trj/Qoologic.E 07/12/05 16:30:54 Disinfected Location: c:\windows\system32\bcaqomb.exe
Adware detected: Adware/Look2Me 07/12/05 16:29:55 Eliminated Location: c:\windows\system32\adlinstallwin32.exe
Adware detected: Adware/Hotoffers 07/12/05 16:26:51 Eliminated Location: c:\windows\system32\guninst.exe
Update 07/12/05 16:26:13 OK New virus signatures: 7581
  • 0

#51
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I took a little initiative. I hope I didn't screw things up more. Navigating through DOS in safe mode, I deleted the contents of the infected temporary internet files folders indicated in the Panda scan. I then reran Panda again. The scan came up clean. Unfortunately, I still have the blue screen and the desktop remains seemingly non-functional.

Pls advise on where we go from here.

Thanks.
  • 0

#52
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
So, then I ran ewido in safe mode. Here is the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:41:15 PM, 7/19/2005
+ Report-Checksum: EF3F1FD1

+ Scan result:

C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP550\A0063788.exe -> Trojan.LowZones.bn : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP550\A0063789.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{4617D869-6DFF-4342-BE3F-6D5D37A05BC1}\RP550\A0063790.exe -> Trojan.Agent.fl : Cleaned with backup


::Report End
  • 0

#53
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Wow, hold your horses!

I have a cleaning program for you to clean out the temp files all over the disk. Please be very carefull what you do. It's still an infected machine. We don't want it to stop functioning all together.


Can you use your infected computer in normal mode and in safe mode?


Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
  • 0

#54
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK. Sorry, I'm getting antsy for this to work already.

I can use it in normal mode and safe mode, but I must run everything from task manager.

I ran the display applet using control desk.cpl from the run line. The security info box was not present.
  • 0

#55
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Can you tell me what you see under 'web'? Is there a 'restore defaults'?
  • 0

Advertisements


#56
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I keep seeing a qoologic sign. That could be what's keeping us from cleaning up properly.

Do you mind running the revised tool?

Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download http://www.bleepingc...1/Trackqoo.zip]Track qoo[/url]
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#57
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
No restore defaults. There is "New..." and "Synchronize" which are not shaded. Also 'lock desktop", which is currently unchecked.
  • 0

#58
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Are you willing to run those tools? I think it just the other infection that's bugging us.
  • 0

#59
glennc007

glennc007

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Ok:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic C:\071205 pandalog.txt
qoologic C:\071805 pandalog.txt
UPX! C:\cachefile0.sys
KavSvc C:\hijackthis.log
KavSvc C:\hijackthis2.txt
qoologic C:\panda 071905 AM.txt
qoologic C:\PANDA.RPT

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...
FSG! C:\WINDOWS\system32\Chdbook1.xml
PEC2 C:\WINDOWS\system32\dfrg.msc
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\QTFont.qfn
7/19/2005 C:\WINDOWS\system32\config\default.LOG
7/19/2005 C:\WINDOWS\system32\config\SAM.LOG
7/19/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/19/2005 C:\WINDOWS\system32\config\software.LOG
7/19/2005 C:\WINDOWS\system32\config\system.LOG
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2JMBQN85\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CGB9UWTH\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G5GRCT27\desktop.ini
7/18/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KU87SJMD\desktop.ini
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4dab5f0f-9ed6-4a1f-bb1c-6f37b381c939
6/24/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/19/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9} = C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100} = C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL
*\shellex\ContextMenuHandlers\StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467} = C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
CPQEASYACC C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
PROMon.exe
srmclean C:\Cpqs\Scom\srmclean.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ADUserMon C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SpybotSnD "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
APVXDWIN "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.


---------------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"CPQEASYACC"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"PROMon.exe"=""
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SpybotSnD"="\"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe\" /autoclose"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Titanium Antivirus 2005\\APVXDWIN.EXE\" /s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Compaq]
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- MediaFaceExtension
{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}
C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Panda Antivirus
{65756541-C65C-11CD-0000-4B656E696100}
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\ShellTit.DLL

Subkey --- StuffIt Context Menu
{2E336DC0-54F8-11D1-ABD5-447270537467}
C:\Program Files\Aladdin Systems\StuffIt Standard\StuffItMenu.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
Microsoft Office.lnk
==============================
C:\Documents and Settings\Sean\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
Microsoft Office.lnk
AVE122001_CD.exe
desktop.ini
PowerReg Scheduler V3.exe
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
ADPanel.cpl Iomega Corporation
appwiz.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nvtuicpl.cpl NVIDIA Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl130_02.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
PROSetp.cpl Intel Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
UICONFIG.cpl Compaq Computer Corporation
  • 0

#60
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I must be overlooking something. I'll ask for some assistance.


Meanwhile,

Please RIGHT-CLICK:
here.
and go to Save As (in Internet Explorer it's "Save Target As") in order to download the taskmanagers repair tool. Save it to your desktop.

Locate "taskmanager_reset.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt.

That should help a bit.

Edited by g2i2r4, 19 July 2005 - 04:27 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP