Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help


  • Please log in to reply

#1
mr isp

mr isp

    Member

  • Member
  • PipPip
  • 23 posts
Hello,
My computer has been going very slow and is being attacked with pop ups and my ad ware removal programs say there removing things but more files keep coming back. here is my log...

Logfile of HijackThis v1.99.1
Scan saved at 8:34:07 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\sbss\sbss.exe
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLServiceHost.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\DiBiase\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1114469196\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [OP14 Reminder] "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [sbss Launcher] "C:\Program Files\sbss\sbss.exe"
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hahjmk.exe reg_run
O4 - HKLM\..\Run: [mxryit] c:\windows\system32\wjcysqn.exe r
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: connwsp.dll
O10 - Unknown file in Winsock LSP: connwsp.dll
O10 - Unknown file in Winsock LSP: connwsp.dll
O10 - Unknown file in Winsock LSP: connwsp.dll
O10 - Unknown file in Winsock LSP: connwsp.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://168.169.199.104/tsweb/msrdp.cab
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\ssmpapi.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





Thank you all for your help I am really grateful

Robert
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi mr isp and Welcome to GeektoGo

Thats a nasty set of bugs you have in there,I may need you to locate and send me some samples!

For now,Download the l2mfix from here
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.
  • 0

#3
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank you for replying in such short notice he is the log you wanted...


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ssmpapi.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{94E65ABE-7DA8-EFE7-7911-822F44342A09}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{F9D16B5B-700B-4FA3-993C-17539E39E894}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F9D16B5B-700B-4FA3-993C-17539E39E894}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9D16B5B-700B-4FA3-993C-17539E39E894}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9D16B5B-700B-4FA3-993C-17539E39E894}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F9D16B5B-700B-4FA3-993C-17539E39E894}\InprocServer32]
@="C:\\WINDOWS\\system32\\artiveds.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Mon May 2 2005 4:52:34p A.... 1,019,904 996.00 K
cagbkend.dll Fri Jul 1 2005 10:16:20p ..S.R 417,792 408.00 K
cdfview.dll Mon May 2 2005 4:52:34p A.... 151,040 147.50 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
cimocx.dll Thu Jul 7 2005 9:50:42a ..S.R 417,792 408.00 K
dgcompos.dll Tue Jul 5 2005 9:54:30a ..S.R 417,792 408.00 K
hfui.dll Fri Jun 24 2005 9:56:06p ..S.R 417,792 408.00 K
hhsetup.dll Thu May 26 2005 10:04:28p A.... 41,472 40.50 K
iepeers.dll Mon May 2 2005 4:52:34p A.... 250,880 245.00 K
inseng.dll Mon May 2 2005 4:52:34p A.... 96,256 94.00 K
itakui.dll Sat Jun 25 2005 10:38:26a ..S.R 417,792 408.00 K
itircl.dll Thu May 26 2005 10:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 10:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
kydtuq.dll Sat Jun 25 2005 2:53:48p ..S.R 417,792 408.00 K
lxcalspl.dll Sat Jun 25 2005 1:46:46p ..S.R 417,792 408.00 K
mshtml.dll Mon May 2 2005 4:52:36p A.... 3,012,608 2.87 M
mshtmled.dll Mon May 2 2005 4:52:36p A.... 448,512 438.00 K
msi.dll Wed May 4 2005 2:45:32p A.... 2,890,240 2.75 M
msrating.dll Mon May 2 2005 4:52:36p A.... 146,432 143.00 K
nknpuei.dll Sun Jul 3 2005 11:19:28p A.... 27,648 27.00 K
nkoglnt.dll Wed Jun 22 2005 8:31:44p ..S.R 417,792 408.00 K
nrdsbcli.dll Sat Jun 25 2005 1:34:36p ..S.R 417,792 408.00 K
nswrsnl.dll Thu Jun 30 2005 10:28:38p ..S.R 417,792 408.00 K
pncrt.dll Wed Apr 27 2005 8:36:36p A.... 278,528 272.00 K
pndx5016.dll Wed Apr 27 2005 8:36:38p A.... 6,656 6.50 K
pndx5032.dll Wed Apr 27 2005 8:36:38p A.... 5,632 5.50 K
pngfilt.dll Mon May 2 2005 4:52:36p A.... 39,424 38.50 K
rmoc3260.dll Wed Apr 27 2005 8:36:44p A.... 176,167 172.04 K
s32evnt1.dll Fri May 13 2005 7:50:10p A.... 91,856 89.70 K
shdocvw.dll Mon May 2 2005 4:52:36p A.... 1,483,776 1.41 M
shlwapi.dll Mon May 2 2005 4:52:36p A.... 473,600 462.50 K
ssmpapi.dll Wed Jun 22 2005 7:07:26p ..S.R 417,792 408.00 K
supdate.dll Sun Jul 3 2005 11:19:28p A.... 29,184 28.50 K
urlmon.dll Mon May 2 2005 4:52:36p A.... 607,744 593.50 K
wfiscmgr.dll Sat Jul 2 2005 2:45:36p ..S.R 417,792 408.00 K
wininet.dll Mon May 2 2005 4:52:36p A.... 657,920 642.50 K
wtdmtpus.dll Fri Jul 1 2005 9:55:34p ..S.R 417,792 408.00 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wunsrv.dll Wed Jul 6 2005 10:00:24p ..S.R 417,792 408.00 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 8:25:36p ..... 15,360 15.00 K
__dele~1.dll Fri Jul 8 2005 8:05:04p A.... 417,792 408.00 K
__dele~2.dll Sun Jul 3 2005 11:19:30p A.... 9,728 9.50 K

49 items found: 49 files (14 H/S), 0 directories.
Total of file sizes: 21,157,271 bytes 20.18 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Wed Jun 22 2005 10:28:46p ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B4FC-34D2

Directory of C:\WINDOWS\System32

07/07/2005 09:50 AM 417,792 cImocx.dll
07/06/2005 10:00 PM 417,792 wunsrv.dll
07/05/2005 09:54 AM 417,792 dgcompos.dll
07/02/2005 02:45 PM 417,792 wfiscmgr.dll
07/01/2005 10:16 PM 417,792 cagbkend.dll
07/01/2005 09:55 PM 417,792 wtdmtpus.dll
06/30/2005 10:28 PM 417,792 nswrsnl.dll
06/29/2005 11:27 PM <DIR> dllcache
06/25/2005 02:53 PM 417,792 kydtuq.dll
06/25/2005 01:46 PM 417,792 lxcalspl.dll
06/25/2005 01:34 PM 417,792 nrdsbcli.dll
06/25/2005 10:38 AM 417,792 itakui.dll
06/24/2005 09:56 PM 417,792 hfui.dll
06/22/2005 10:28 PM 417,792 guard.tmp
06/22/2005 08:31 PM 417,792 nkoglnt.dll
06/22/2005 07:07 PM 417,792 ssmpapi.dll
04/24/2005 05:51 PM <DIR> Microsoft
15 File(s) 6,266,880 bytes
2 Dir(s) 108,164,198,400 bytes free




Robert
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,look in the System32 Folder for these files

C:\WINDOWS\system32\artiveds.dll

C:\WINDOWS\system32\supdate.dll

C:\WINDOWS\system32\kydtuq.dll

If you see any of these,please upload them here
http://www.bleepingc...mit-malware.php

Put to this post in there along with l2m files in the Message box!

Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread!

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!


Download Pfind:
http://www.bleepingc...r/pfind-new.zip

Right Click the Zip Folder and Select "Extract All"
So make sure all those files remain in the same folder.

Don't use it yet!

Restart in Safe Mode

Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.

Post the contents of C:\pfind.txt in your next reply together with the log from the l2mfix!

Please do not reboot the computer after this step!
  • 0

#5
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I sent those files but I forgot to lable them in the message box, sorry.
Here are those logs

The l2mfix Log


L2Mfix 1.03

Running From:
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1728 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 356 'rundll32.exe'
Killing PID 1152 'rundll32.exe'
Killing PID 1220 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\artiveds.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\artiveds.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cagbkend.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cagbkend.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cImocx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cImocx.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgcompos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgcompos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hfui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hfui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\itakui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\itakui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kydtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kydtuq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lxcalspl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lxcalspl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nkoglnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nkoglnt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nrdsbcli.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nrdsbcli.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nswrsnl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nswrsnl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ouecli32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ouecli32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ssmpapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ssmpapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfiscmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wfiscmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtdmtpus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtdmtpus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wunsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wunsrv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\artiveds.dll
Successfully Deleted: C:\WINDOWS\system32\artiveds.dll
deleting: C:\WINDOWS\system32\artiveds.dll
Successfully Deleted: C:\WINDOWS\system32\artiveds.dll
deleting: C:\WINDOWS\system32\cagbkend.dll
Successfully Deleted: C:\WINDOWS\system32\cagbkend.dll
deleting: C:\WINDOWS\system32\cagbkend.dll
Successfully Deleted: C:\WINDOWS\system32\cagbkend.dll
deleting: C:\WINDOWS\system32\cImocx.dll
Successfully Deleted: C:\WINDOWS\system32\cImocx.dll
deleting: C:\WINDOWS\system32\cImocx.dll
Successfully Deleted: C:\WINDOWS\system32\cImocx.dll
deleting: C:\WINDOWS\system32\dgcompos.dll
Successfully Deleted: C:\WINDOWS\system32\dgcompos.dll
deleting: C:\WINDOWS\system32\dgcompos.dll
Successfully Deleted: C:\WINDOWS\system32\dgcompos.dll
deleting: C:\WINDOWS\system32\hfui.dll
Successfully Deleted: C:\WINDOWS\system32\hfui.dll
deleting: C:\WINDOWS\system32\hfui.dll
Successfully Deleted: C:\WINDOWS\system32\hfui.dll
deleting: C:\WINDOWS\system32\itakui.dll
Successfully Deleted: C:\WINDOWS\system32\itakui.dll
deleting: C:\WINDOWS\system32\itakui.dll
Successfully Deleted: C:\WINDOWS\system32\itakui.dll
deleting: C:\WINDOWS\system32\kydtuq.dll
Successfully Deleted: C:\WINDOWS\system32\kydtuq.dll
deleting: C:\WINDOWS\system32\kydtuq.dll
Successfully Deleted: C:\WINDOWS\system32\kydtuq.dll
deleting: C:\WINDOWS\system32\lxcalspl.dll
Successfully Deleted: C:\WINDOWS\system32\lxcalspl.dll
deleting: C:\WINDOWS\system32\lxcalspl.dll
Successfully Deleted: C:\WINDOWS\system32\lxcalspl.dll
deleting: C:\WINDOWS\system32\nkoglnt.dll
Successfully Deleted: C:\WINDOWS\system32\nkoglnt.dll
deleting: C:\WINDOWS\system32\nkoglnt.dll
Successfully Deleted: C:\WINDOWS\system32\nkoglnt.dll
deleting: C:\WINDOWS\system32\nrdsbcli.dll
Successfully Deleted: C:\WINDOWS\system32\nrdsbcli.dll
deleting: C:\WINDOWS\system32\nrdsbcli.dll
Successfully Deleted: C:\WINDOWS\system32\nrdsbcli.dll
deleting: C:\WINDOWS\system32\nswrsnl.dll
Successfully Deleted: C:\WINDOWS\system32\nswrsnl.dll
deleting: C:\WINDOWS\system32\nswrsnl.dll
Successfully Deleted: C:\WINDOWS\system32\nswrsnl.dll
deleting: C:\WINDOWS\system32\ouecli32.dll
Successfully Deleted: C:\WINDOWS\system32\ouecli32.dll
deleting: C:\WINDOWS\system32\ouecli32.dll
Successfully Deleted: C:\WINDOWS\system32\ouecli32.dll
deleting: C:\WINDOWS\system32\ssmpapi.dll
Successfully Deleted: C:\WINDOWS\system32\ssmpapi.dll
deleting: C:\WINDOWS\system32\ssmpapi.dll
Successfully Deleted: C:\WINDOWS\system32\ssmpapi.dll
deleting: C:\WINDOWS\system32\wfiscmgr.dll
Successfully Deleted: C:\WINDOWS\system32\wfiscmgr.dll
deleting: C:\WINDOWS\system32\wfiscmgr.dll
Successfully Deleted: C:\WINDOWS\system32\wfiscmgr.dll
deleting: C:\WINDOWS\system32\wtdmtpus.dll
Successfully Deleted: C:\WINDOWS\system32\wtdmtpus.dll
deleting: C:\WINDOWS\system32\wtdmtpus.dll
Successfully Deleted: C:\WINDOWS\system32\wtdmtpus.dll
deleting: C:\WINDOWS\system32\wunsrv.dll
Successfully Deleted: C:\WINDOWS\system32\wunsrv.dll
deleting: C:\WINDOWS\system32\wunsrv.dll
Successfully Deleted: C:\WINDOWS\system32\wunsrv.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: artiveds.dll (164 bytes security) (deflated 48%)
adding: cagbkend.dll (164 bytes security) (deflated 48%)
adding: cImocx.dll (164 bytes security) (deflated 48%)
adding: dgcompos.dll (164 bytes security) (deflated 48%)
adding: hfui.dll (164 bytes security) (deflated 48%)
adding: itakui.dll (164 bytes security) (deflated 48%)
adding: kydtuq.dll (164 bytes security) (deflated 48%)
adding: lxcalspl.dll (164 bytes security) (deflated 48%)
adding: nkoglnt.dll (164 bytes security) (deflated 48%)
adding: nrdsbcli.dll (164 bytes security) (deflated 48%)
adding: nswrsnl.dll (164 bytes security) (deflated 48%)
adding: ouecli32.dll (164 bytes security) (deflated 48%)
adding: ssmpapi.dll (164 bytes security) (deflated 48%)
adding: wfiscmgr.dll (164 bytes security) (deflated 48%)
adding: wtdmtpus.dll (164 bytes security) (deflated 48%)
adding: wunsrv.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 88%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 85%)
adding: backregs/F9D16B5B-700B-4FA3-993C-17539E39E894.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: artiveds.dll
deleting local copy: artiveds.dll
deleting local copy: cagbkend.dll
deleting local copy: cagbkend.dll
deleting local copy: cImocx.dll
deleting local copy: cImocx.dll
deleting local copy: dgcompos.dll
deleting local copy: dgcompos.dll
deleting local copy: hfui.dll
deleting local copy: hfui.dll
deleting local copy: itakui.dll
deleting local copy: itakui.dll
deleting local copy: kydtuq.dll
deleting local copy: kydtuq.dll
deleting local copy: lxcalspl.dll
deleting local copy: lxcalspl.dll
deleting local copy: nkoglnt.dll
deleting local copy: nkoglnt.dll
deleting local copy: nrdsbcli.dll
deleting local copy: nrdsbcli.dll
deleting local copy: nswrsnl.dll
deleting local copy: nswrsnl.dll
deleting local copy: ouecli32.dll
deleting local copy: ouecli32.dll
deleting local copy: ssmpapi.dll
deleting local copy: ssmpapi.dll
deleting local copy: wfiscmgr.dll
deleting local copy: wfiscmgr.dll
deleting local copy: wtdmtpus.dll
deleting local copy: wtdmtpus.dll
deleting local copy: wunsrv.dll
deleting local copy: wunsrv.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\artiveds.dll
C:\WINDOWS\system32\artiveds.dll
C:\WINDOWS\system32\cagbkend.dll
C:\WINDOWS\system32\cagbkend.dll
C:\WINDOWS\system32\cImocx.dll
C:\WINDOWS\system32\cImocx.dll
C:\WINDOWS\system32\dgcompos.dll
C:\WINDOWS\system32\dgcompos.dll
C:\WINDOWS\system32\hfui.dll
C:\WINDOWS\system32\hfui.dll
C:\WINDOWS\system32\itakui.dll
C:\WINDOWS\system32\itakui.dll
C:\WINDOWS\system32\kydtuq.dll
C:\WINDOWS\system32\kydtuq.dll
C:\WINDOWS\system32\lxcalspl.dll
C:\WINDOWS\system32\lxcalspl.dll
C:\WINDOWS\system32\nkoglnt.dll
C:\WINDOWS\system32\nkoglnt.dll
C:\WINDOWS\system32\nrdsbcli.dll
C:\WINDOWS\system32\nrdsbcli.dll
C:\WINDOWS\system32\nswrsnl.dll
C:\WINDOWS\system32\nswrsnl.dll
C:\WINDOWS\system32\ouecli32.dll
C:\WINDOWS\system32\ouecli32.dll
C:\WINDOWS\system32\ssmpapi.dll
C:\WINDOWS\system32\ssmpapi.dll
C:\WINDOWS\system32\wfiscmgr.dll
C:\WINDOWS\system32\wfiscmgr.dll
C:\WINDOWS\system32\wtdmtpus.dll
C:\WINDOWS\system32\wtdmtpus.dll
C:\WINDOWS\system32\wunsrv.dll
C:\WINDOWS\system32\wunsrv.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F9D16B5B-700B-4FA3-993C-17539E39E894}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F9D16B5B-700B-4FA3-993C-17539E39E894}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************








The pfind-new










Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\abiuninst.htm: <!-- saved from url=(0041)http://www.abetterin...m/solsssidpeer/ -->
C:\WINDOWS\abiuninst.htm: <td valign=bottom><a href="http://www.abetterinternet.com" class="noa"><span class="abi">ABI Network</span></a></td>
C:\WINDOWS\abiuninst.htm: <a href="http://www.abetterin...m/policies.htm" target=_blank>EULA</a>
C:\WINDOWS\mnmok.dll: excl_urls=www2.bigtrafficnetwork.com,www10.paypopup.com,www10.click2begin.com,www10.bigtrafficnetwork.com,www1.paypopup.com,www1.eta.us,www1.click2begin.com,www1.bigtrafficnetwork.com,wwp.icq.com,ww2.weatherbug.com,ws.websearch.com,wisapidata.weatherbug.com,windowsupdate.microsoft.com,windowsmedia.com,whileyousurf.com,whenusearch.com,websearch.drsnsrch.com,websearch.com,webpdp.gator.com,webcruiser.cc,web.tickle.com,web.icq.com,web.adknowledge.com,weatherbug.com,waytofind.com,viewmorepics.myspace.com,view.atdmt.com,v8.alwaysupdatednews.com,v4.windowsupdate.microsoft.com,us.yimg.com,us.update.companion.yahoo.com,us.js1.yimg.com,us.i1.yimg.com,us.ard.yahoo.com,us.a1.yimg.com,updatelaston.myspace.com,update32.searchmiracle.com,update.searchmiracle.com,update.msupdater.net,tv.180solutions.com,trk.pcsecurityshield.com,trk.bestmagsdirect.com,trafficmp.com,trafficadmin.net,track.pointroll.com,toprebates.com,topmoxie.com,topicks.com,top-banners.com,toolbarqueries.google.com,toolbar5.trafficgeneration.biz,toolbar4.trafficgeneration.biz,toolbar.isearch.com,toolbar.desktoptraffic.net,tinkopal.com,thesearchster.com,thegreatestvitaminintheworld.c,target.com,thecoolbar.com,tag.contextweb.com,t.trafficmp.com,switch.atdmt.com,surfenhance.com,stopzilla.com,stech.web-nexus.net,stats.eblocs.com,ssl-hints.netflame.cc,srv.main.ebayrtm.com,srd.yahoo.com,sr.adwave.com,sr.websearch.com,spe.atdmt.com,songsonpage.com,song.musicvideocodes.com,smileycentral.com,show.budsinc.com,service.bfast.com,server2.103092804.com,server.trafficaces.com,server.iad.liveperson.net,server.cpmstar.com,server-us.imrworldwide.com,servedby.valuead.com,servedby.advertising.com,servedby.adscpm.com,secure-us.imrworldwide.com,searchprogress.com,searcheffect.com,search200.com,sc.musicmatch.com,sandboxer.com,s0b.bluestreak.com,rightmedia.net,realcasinoreview.com,radio.launch.yahoo.com,rad.msn.com,qksrv.net,publishers.clickbooth.com,pr.atwola.com,popuptraffic.com,popupsearches.com,popups.ad-logics.com,popuppers.com,popup.msn.com,pops.browseraid.com,playlist.yahoo.com,pipe.aimexpress.aim.com,photobucket.com,pgq.yahoo.com,pc-test.net,paypopup.com,passportimages.com,pan-advert.com,pagead2.googlesyndication.com,oz.valueclick.com,onlinenow.myspace.com,onemoresearch.net,oinadserve.com,odysseusmarketing.com,oascentral.comcast.net,oascentral.cciads.us,oas-central.realmedia.com,notes.blackplanet.com,newupdates.lzio.com,newsrss.bbc.co.uk,networkcollect.realmedia.com,network.realmedia.com,neededware.com,ncontextsearch.com,ncontextmedia.com,n3285ad.doubleclick.net,mydailyhoroscope.net,my-stats.com,musicvideocodes.com,msads.net,microsoft.com,mm.delfinproject.com,mmm.media-motor.net,messenger.zango.com,messenger.msn.com,member-services.blackplanet.com,member-services.blackplanet.co,mediaplex.com,media76.fastclick.net,media.fastclick.net,media.deskwizz.com,media.adrevolver.com,media.admarketplace.net,mds.centrport.net,maxserving.com,maxifiles.com,master.mx-targeting.com,mail.yahoo.com,mail.myspace.com,mads.webshots.com,m2.doubleclick.net,m3.doubleclick.net,lyricsonpage.com,look2me.com,login.yahoo.com,loginnet.passport.com,login.tracking101.com,login.passport.net,loadingwebsite.com,license.hotbar.com,kill-pop-ups.com,jseedcorn.cjt1.net,js1.yimg.com,join1.winhundred.com,jnictech.cjt1.net,jmnad1.com,jicmedia.cjt1.net,jcontent.bns1.net,jbns2.cydoor.com,jbigpops.cjt1.net,j.2004cms.com,isg05.casalemedia.com,iossrc.com,isapi60.weatherbug.com,internet-optimizer.com,insider.msg.yahoo.com,innovationads.directtrack.com,ingdirect.com,indiads.com,imptrk.metareward.com,img2.mailpostdirect.com,images.trafficmp.com,images.brazilwelcomesyou.com,i.emarketresearchgroup.com,hotmail.com,hotmail.msn.com,http300.edge.ru4.com,host239.ipowerweb.com,hop.clickbank.net,home.myspace.com,hits.clickandtrack.net,help.internet-optimizer.com,heavy.com,grandstreetinteractive.net,grandstreetinteractive.com,goldenpalace.com,gd2.mlb.com,global.msads.net,gms1.net,g6publish.videodome.com,games.yahoo.com,fxfeeds.mozilla.org,focusin.ads.targetnet.com,falkag.net,filter.belkin.com,findonpage.com,ezula.com,empnads.com,everyfreegift.com,eliteoffers.net,ekmas.com,ebay.doubleclick.net,edit.xanga.com,eadexchange.com,e.rn11.com,e.spyspotter.com,dw.dailywinner.net,dr.webservicehosts.com,downloads.aaa1screensavers.com,download.websearch.com,download.smileycentral.com,dotexplore.com,download.abetterinternet.com,dist.belnk.com,dist.belnk.com,dist.belnk.com,desk.mspaceads.com,desb.mspaceads.com,demr.mspaceads.com,delfinproject.com,delb.mspaceads.com,dehp.mspaceads.com,defp.mspaceads.com,debr.mspaceads.com,data.coremetrics.com,ctl.twain-tech.com,creatrixads.com,creativeby.viewpoint.com,couponage.com,counters.honesty.com,count.exitexchange.com,comcast.net,context3.kanoodle.com,cmhtml.overture.com,clicktrk.com,clickspring.net,clickserve.cc-dt.com,clicksearchclick.com,clicks.emarketmakers.com,clickit.go2net.com,clickboothlnk.com,click2begin.com,click2.containsitall.com,claxonmedia.com,chatter.flooble.com,cfg.mywebsearch.com,cdn.valueclick.com,cdn.icq.com,cdn.fastclick.net,cdn.comcast.net,cdn.aim.com,cdn-cf.aol.com,cdn-aimtoday.aol.com,cb.icq.com,cache.trafficmp.com,c5.zedo.com,c4.maxserving.com,c1.zedo.com,by.optimost.com,bv.channel.aol.com,burstnet.com,bulletin.myspace.com,bt1.kanoodle.com,bs.serving-sys.com,blog.myspace.com,blackplanet.com,bigtrafficnetwork.com,bigtrafficnetwork.com,begin2search.com,bannerserver.gator.com,banners.searchingbooth.com,banners.pennyweb.com,banners.exitexchange.com,bannerfarm.ace.advertising.com,badurl.grandstreetinteractive.net,badurl.grandstreetinteractive.com,ayb.lop.com,awbeta.net-nucleus.com,atdmt.com,as.casalemedia.com,as.adwave.com,as-us.falkag.net,ar.atwola.com,apps.deskwizz.com,ap2.auctionscan.biz,aol.com,anrdoezrs.net,amch.questionmarket.com,alwaysupdatednews.com,altfarm.mediaplex.com,allfreenetwork.com,allaboutsearching.com,akapp.whenu.com,aim-charts.pf.aol.com,affiliates.4lowrates.com,adverts.lzio.com,advert.runescape.com,advert-web.runescape.com,adv.eblocs.com,adsvr.adknowledge.com,adsv2.delfinproject.com,adserver.sharewareonline.com,adserv1.gruvmedia.com,adserv.internetfuel.com,adserv.680130.net,ads345.com,ads234.com,ads2.revenue.net,ads1.revenue.net,ads.zone-media.com,ads.us.e-planning.net,ads.surfsidekick.com,ads.shizmoo.com,ads.revsci.net,ads.pointroll.com,ads.mydailyhoroscope.net,ads.inet1.com,ads.flashtrack.net,ads.exitexchange.com,ads.delfinproject.com,ads.clickagents.com,ads.centralmedia.ws,ads.bidclix.com,ads.addynamix.com,adopt.specificclick.net,adopt.hbmediapro.com,adlog2.lzio.com,adfarm.mediaplex.com,adacuity.com,ad.yieldmanager.com,ad.trafficmp.com,ad.reunion.com,ad.linksynergy.com,ad.firstadsolution.com,ad.doubleclick.net,ad.admarketplace.net,ad.adlegend.com,ad-w-a-r-e.com,actualdeals.com,aaabesthomepage.com,a425.v8384d.c8384.g.vm.akamais,a420.v8383d.c8383.g.vm.akamais,a248.e.akamai.net,a1.yimg.com,a1.interclick.com,a.xanga.com,a.websponsors.com,a.tribalfusion.com,a.as-us.falkag.net,99search.com,680130.net,404.grandstreetinteractive.com,3.adbrite.com,103092804.com,0dp.com,www2.click2begin.com,www2.paypopup.com,www2.popupsearches.com,www3.bigtrafficnetwork.com,www3.click2begin.com,www3.paypopup.com,www3.popupsearches.com,www4.bigtrafficnetwork.com,www4.click2begin.com,www4.paypopup.com,www4.yesadvertising.com,www5.bigtrafficnetwork.com,www5.click2begin.com,www5.paypopup.com,www6.bigtrafficnetwork.com,www6.click2begin.com,www6.paypopup.com,www7.bigtrafficnetwork.com,www7.click2begin.com,www7.paypopup.com,www8.bigtrafficnetwork.com,www8.click2begin.com,www8.paypopup.com,www9.bigtrafficnetwork.com,www9.click2begin.com,www9.paypopup.com,xadso.offeroptimizer.com,xadsq.offeroptimizer.com,xanga.com,xbloom.com,xlime.offeroptimizer.com,yahoo.com,yazifind.com,yimg.com,yourfreedvds.com,z1.adserver.com,zone.msn.com,qwickclick.com,qwickable.com,www4.popupsearches.com,www5.popupsearches.com,www6.popupsearches.com,www7.popupsearches.com,www8.popupsearches.com,www9.popupsearches.com,www10.popupsearches.com,www11.popupsearches.com,www12.popupsearches.com,xads.offeroptimizer.com,xadsj.offeroptimizer.com,offeroptimizer.com,adshttp.com,dnaads.com,httpwwwads.com,ads.com,www.ads.com,inqwire.com,defb.mspaceads.com,content.yieldmanager.com,yieldmanager.com,newsh.com,69.28.210.251,bigtrafficnetswork.com,www1.bigtrafficnetswork.com,www2.bigtrafficnetswork.com,www3.bigtrafficnetswork.com,www4.bigtrafficnetswork.com,www5.bigtrafficnetswork.com,www6.bigtrafficnetswork.com,www7.bigtrafficnetswork.com,www8.bigtrafficnetswork.com,www9.bigtrafficnetswork.com,www10.bigtrafficnetswork.com,l00000.myspace.com,cgi.ebay.com,shopathomeselect.com,budsinc.com,ads.trekdata.com,img.mediaplex.com,screensavers.com,pbid.pro-market.net,pro-market.net,clicknchoose.com,code.inqwire.com,ww.smashits.com,wwW.smashits.com,smashits.com,venus123.com,editprofile.myspace.com,comments.myspace.com,profile.myspace.com,cb1.msn.com,go.sidebysidesearch.com,sidebysidesearch.com,ehg-communityconnect.hitbox.co,ami.pointroll.com,install.spywarelabs.com,crtv.mate1.com,consumeralertsystem.com,m.2mdn.net,mynetprotector.com,espn.go.com,art.ath.belnk.com,login.passport.com,smashitsusa.com,results.cafefind.net,ehg-shopathome.hitbox.com,linkpositions.com,oascentral.artistdirect.com,oascentral.videodome.com,buycheapadvertising.com,hotdeals.intelenetwireless.com,wildwabbit.com,psc.disney.go.com,ads.realcastmedia.com,launch.adserver.yahoo.com,premiumnetworkrocks.valuead.co,boomspeed.com,pacimedia.com,apsc.disney.go.com,adserver.yahoo.com,pics.ebaystatic.com,thefacebook.com,cdn-startpage.aol.com,partypoker.touchclarity.com,pop.modserv.net,c.qckjmp.com,lovehappens.com,adoutput.com,users.perfhost.com,cnn.dyn.cnn.com,dealsonrealty.com,redir.windowsmedia.com,ww.smashits.com,music.myspace.com,ads.web.aol.com,runonce.msn.com,log.go.com,newoffer.myfreegiftcards.net,lcplaylist.launch.yahoo.com,beefycomputer.com,mailcenter.comcast.net,ads.realtechnetwork.net,avbj.info,video.rednova.com,certified-safe-downloads.com,as.starware.com,web.checkm8.com,gdx.mlb.com,partypoker.touchclarity.com,xquizit.xangans.com,trackhits.cc,benews.net,server1.103092804.com,server2.103092804.com,server3.103092804.com,server4.103092804.com,server5.103092804.com,server6.103092804.com,server7.103092804.com,server8.103092804.com,server9.103092804.com,server10.103092804.com,tooltips.hotbar.com,ak.imgfarm.com,sidefind.com,srs.targetpoint.com,upload.myspace.com,us.update2.toolbar.yahoo.com,fad-1108.nyc1.targetnet.com,pbid.zenotecnico.com,lc2.bay0.hotmail.passport.com,speed.pointroll.com,64.62.232.32,fad-1107.nyc1.targetnet.com,popunder.paypopup.com,ads.web.aol.com,security-updater.com,cdn.gms1.net,webcrawl.net,fad-1109.nyc1.targetnet.com
C:\WINDOWS\vdklwjychx.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\cioluab.exe: UPX!
C:\WINDOWS\SYSTEM32\dadnocm.exe: .aspack
C:\WINDOWS\SYSTEM32\dlgmkzt.exe: UPX!
C:\WINDOWS\SYSTEM32\DrPMon.dll_tobedeleted: ZepMon
C:\WINDOWS\SYSTEM32\hahjmk.exe: .aspack
C:\WINDOWS\SYSTEM32\ikiwn.dll: .aspack
C:\WINDOWS\SYSTEM32\ikiwn.dll: KavSvc
C:\WINDOWS\SYSTEM32\ikiwn.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\ikiwn.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\jncrnl.exe: UPX!
C:\WINDOWS\SYSTEM32\nknpuei.dll: .aspack
C:\WINDOWS\SYSTEM32\nknpuei.dll: KavSvc
C:\WINDOWS\SYSTEM32\nknpuei.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\nknpuei.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\oklbwms.exe: UPX!
C:\WINDOWS\SYSTEM32\redit.cpl: .aspack
C:\WINDOWS\SYSTEM32\supdate.dll: .aspack
C:\WINDOWS\SYSTEM32\supdate.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\supdate.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\supdate.dll: 66.63.167.97
C:\WINDOWS\SYSTEM32\supdate.dll: 66.63.167.77
C:\WINDOWS\SYSTEM32\supdate.dll: KavSvc
C:\WINDOWS\SYSTEM32\wuwav.dat: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder


C:\Documents and Settings\All Users\Start Menu\programs\Startup\rark.exe: .aspack


Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\DiBiase\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\DiBiase\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Fri Jul 8 2005 10:55:22p A.S.. 2,048 2.00 K

C:\WINDOWS\HELP\
update.gid Mon Jun 13 2005 1:04:56p A..H. 10,820 10.57 K

C:\WINDOWS\INF\
oem9.inf Wed Jun 29 2005 9:37:08a ...H. 0 0.00 K

C:\WINDOWS\TASKS\
sa.dat Fri Jul 8 2005 10:54:14p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Fri Jul 8 2005 10:55:14p A..H. 8,192 8.00 K
sam.log Fri Jul 8 2005 10:55:32p A..H. 1,024 1.00 K
security.log Fri Jul 8 2005 10:55:24p A..H. 12,288 12.00 K
software.log Fri Jul 8 2005 10:55:38p A..H. 61,440 60.00 K
system.log Fri Jul 8 2005 10:55:28p A..H. 966,656 944.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
pae700~1.cab Thu Jun 23 2005 1:59:44p ..SHR 305,145 297.99 K
pae704~1.cab Thu Jun 23 2005 2:01:42p ..SHR 68,327 66.72 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb890046.cat Tue May 17 2005 11:23:22a ..S.. 11,845 11.57 K
kb893066.cat Wed May 25 2005 2:39:08p ..S.. 10,786 10.53 K
kb896358.cat Thu May 26 2005 7:22:40p ..S.. 15,022 14.67 K
kb896422.cat Tue May 10 2005 10:34:26a ..S.. 10,786 10.53 K
kb896428.cat Tue May 10 2005 7:52:26p ..S.. 10,786 10.53 K
kb898461.cat Tue May 17 2005 3:16:24p ..S.. 9,735 9.50 K
oem9.cat Thu May 26 2005 4:27:36a ..S.. 13,511 13.19 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Thu Jun 23 2005 6:10:10p A..H. 1,024 1.00 K

C:\WINDOWS\TEMP\HISTORY\HISTORY.IE5\
desktop.ini Thu Jun 23 2005 6:05:00p ..SH. 113 0.11 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\
desktop.ini Thu Jun 23 2005 6:05:00p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\4Z01AZG1\
desktop.ini Thu Jun 23 2005 6:05:00p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\6J8F2ZOL\
desktop.ini Thu Jun 23 2005 6:05:00p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\ODS5KX8F\
desktop.ini Thu Jun 23 2005 6:05:00p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\QJA5U3IB\
desktop.ini Thu Jun 23 2005 6:05:00p ..SH. 67 0.06 K

25 items found: 25 files, 0 directories.
Total of file sizes: 1,519,889 bytes 1.45 M
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
That was the wrong PFind link apparently!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download and Install
CleanUp!
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Run Cleanup,when prompted to log off>> Select No

Scan the PC with Ewido just as described in the link,make sure to Save the Report

Scan the System with Ad Aware,remove everything it finds and delete all quaratine files!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Kaspersky!

Edited by Cretemonster, 08 July 2005 - 02:17 PM.

  • 0

#7
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here are the logs you wanted.



I have a question though; after running cleanup my "Theme" changed from "Windows XP" to "Windows Classic" (See the attached image). When I change it back to "Windows Xp" theme all it does is change the back round. Do you know how to change it back?


untitled.JPG



The Ewido Log


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:48:15 PM, 7/10/2005
+ Report-Checksum: 8B6C2FAB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Virtual Bouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\.DEFAULT\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\.DEFAULT\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\.DEFAULT\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\VB and VBA Program Settings\VBouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-854245398-1123561945-725345543-1003\Software\VB and VBA Program Settings\VBouncer\Settings -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-18\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rark.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/artiveds.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/cagbkend.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/cImocx.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/dgcompos.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/hfui.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/itakui.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/kydtuq.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/lxcalspl.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/nkoglnt.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/nrdsbcli.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/nswrsnl.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/ouecli32.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/ssmpapi.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/wfiscmgr.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/wtdmtpus.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\DiBiase\Desktop\New Folder\l2mfix\backup.zip/wunsrv.dll -> Spyware.Look2Me : Error during cleaning
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINDOWS\systb.dll_tobedeleted -> Spyware.ImiBar : Cleaned with backup
C:\WINDOWS\system32\cioluab.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\dlgmkzt.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll_tobedeleted -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\ikiwn.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\WINDOWS\system32\jncrnl.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\oklbwms.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup


::Report End






The Kaspersky Log







-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Sunday, July 10, 2005 13:59:51
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/07/2005
Kaspersky Anti-Virus database records: 129864
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 49647
Number of viruses found: 19
Number of infected objects: 101
Number of suspicious objects: 0
Duration of the scan process: 2190 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\04A71F50.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\Program Files\Norton AntiVirus\Quarantine\05E0498C.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\Program Files\Norton AntiVirus\Quarantine\15467C75.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\2A26044A.exe Infected: Trojan.Win32.Agent.ay
C:\Program Files\Norton AntiVirus\Quarantine\2A40542D.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\Program Files\Norton AntiVirus\Quarantine\2A447E2A.asw Infected: Trojan-Downloader.Win32.Small.abd
C:\Program Files\Norton AntiVirus\Quarantine\2A472826.fr5 Infected: Trojan-Downloader.Win32.Intexp.c
C:\Program Files\Norton AntiVirus\Quarantine\2A4A5222.fr6 Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton AntiVirus\Quarantine\3D8D5C23.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\Program Files\Norton AntiVirus\Quarantine\4F1127AA.exe Infected: Trojan-Downloader.Win32.Delmed.a
C:\Program Files\Norton AntiVirus\Quarantine\4F1451A6.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\Program Files\Norton AntiVirus\Quarantine\62CA7204.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\Program Files\Norton AntiVirus\Quarantine\656C61D4.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\Program Files\Norton AntiVirus\Quarantine\6BC24D3E.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\Program Files\Norton AntiVirus\Quarantine\75216899.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\Program Files\Norton AntiVirus\Quarantine\7D0541F4.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\7E412A97.htm Infected: Exploit.HTML.Mht
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0037800.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0037806.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0037915.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0037928.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038910.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038916.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038926.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038927.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038941.exe Infected: Trojan-Downloader.Win32.Qoologic.v
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038948.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038959.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038973.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038980.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP100\A0038981.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039000.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039001.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039015.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039016.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039032.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039033.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039044.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039057.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039073.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039074.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039094.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039113.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039114.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039153.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039154.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP101\A0039170.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039180.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039182.exe Infected: Trojan.Win32.Stervis.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039196.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039207.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039208.exe Infected: Trojan-Dropper.Win32.Agent.lu
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039209.DLL Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039210.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039218.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039219.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP102\A0039221.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0039231.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040449.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040479.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040483.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040485.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040486.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040487.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040488.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040489.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040492.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP103\A0040493.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP54\A0011638.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP77\A0031454.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP77\A0031470.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP77\A0031492.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP92\A0034991.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP97\snapshot\MFEX-11.DAT Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036492.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036496.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036500.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036501.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036504.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036513.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036514.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\A0036572.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP98\snapshot\MFEX-11.DAT Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036620.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036625.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036633.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036680.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036689.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036711.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036733.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036734.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0036748.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037748.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037766.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037777.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037785.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037786.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037793.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{53E9C158-13C7-4F7A-80EA-4917C6726124}\RP99\A0037795.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\WINDOWS\system32\dadnocm.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\system32\wuwav.dat Infected: Trojan-Downloader.Win32.Qoologic.u

Scan process completed.






Hijack This Log









Logfile of HijackThis v1.99.1
Scan saved at 2:02:02 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\sbss\sbss.exe
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLHOS~1.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\DiBiase\Desktop\New Folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1114469196\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [OP14 Reminder] "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [sbss Launcher] "C:\Program Files\sbss\sbss.exe"
O4 - HKLM\..\Run: [exp] C:\WINDOWS\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hahjmk.exe reg_run
O4 - HKLM\..\Run: [mxryit] c:\windows\system32\wjcysqn.exe r
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://168.169.199.104/tsweb/msrdp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




Robert
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,For your Theme,Cleanup has snatch up the luna.msstyles file from

C:\Windows\Resources\Themes\Luna

To replace it,Click Start>> Search and Type in luna.msstyles

You should get results for more than one location!

Look for the $NTService Pak Uninstall$ folder and Copy the file from there and drop it in the LUNA folder!

Now see if you can upload this file and folder here
http://www.bleepingc...mit-malware.php

c:\windows\system32\wjcysqn.exe<< File

C:\Program Files\sbss<< Folder

I need to see a Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!

Lets try Pfind again,its been recently updated

Download Pfind:
http://www.bleepingc...r/pfind-new.zip

Right Click the Zip Folder and Select "Extract All"
So make sure all those files remain in the same folder.

Don't use it yet!

Restart in Safe Mode

Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.


Post the contents of C:\pfind.txt and the HijackThis StartUp Log!
  • 0

#9
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
The closest thing I found was luna.mst
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Lets try getting Windows Updated to SP2,the file is replaced in that Update anyways,if I am not mistaken!

Let me know if that works!
  • 0

Advertisements


#11
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
My theme is back thank you,

The PFind link does not work.

I could not find the file wjcysqn.exe, however I uploaded the contents of the folder sbss, you should have received 4 files all labled "SBSS FILES"


Here is the start up log from hijack this,


StartupList report, 7/11/2005, 9:30:02 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\DiBiase\Desktop\New Folder\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLServiceHost.exe
C:\Program Files\sbss\sbss.exe
C:\Program Files\Cas\Client\casclient.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DiBiase\Desktop\New Folder\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\DiBiase\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PRISMSVR.EXE = "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
DeviceDiscovery = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
HostManager = C:\Program Files\Common Files\AOL\1114469196\EE\AOLHostManager.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
Opware14 = "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
OpScheduler = "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
OP14 Reminder = "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
cfgmgr52 = RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
vidctrl = C:\WINDOWS\system32\vidctrl\vidctrl.exe
sbss Launcher = "C:\Program Files\sbss\sbss.exe"
exp = C:\WINDOWS\system32\exp
KavSvc = C:\WINDOWS\system32\hahjmk.exe reg_run
mxryit = c:\windows\system32\wjcysqn.exe r
AUNPS2 = RUNDLL32 AUNPS2.DLL,_Run@16
exp.exe = C:\WINDOWS\system32\exp.exe
WinTask driver = C:\WINDOWS\system32\wintask.exe
VBouncer = C:\PROGRA~1\VBouncer\VirtualBouncer.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sonic RecordNow! =
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
CAS Client = "C:\Program Files\Cas\Client\casclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {549B5CA7-4A86-11D7-A4DF-000874180BB3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - DiBiase.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Anti-Virus Web Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....204&clcid=0x409

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Microsoft RDP Client Control (redist)]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msrdp.ocx
CODEBASE = http://168.169.199.104/tsweb/msrdp.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: connwsp.dll (file MISSING)
Protocol #2: connwsp.dll (file MISSING)
Protocol #3: connwsp.dll (file MISSING)
Protocol #4: connwsp.dll (file MISSING)
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\rsvpsp.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: connwsp.dll (file MISSING)

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AOL Connectivity Service: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (autostart)
AOL TopSpeed Monitor: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (autostart)
AOL Spyware Protection Service: C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
bvrp_pci: \??\C:\WINDOWS\System32\drivers\bvrp_pci.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Dell TrueMobile 1300 USB2.0 WLAN Card Driver: System32\DRIVERS\PRISMA02.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelC51: System32\DRIVERS\IntelC51.sys (manual start)
IntelC52: System32\DRIVERS\IntelC52.sys (manual start)
IntelC53: System32\DRIVERS\IntelC53.sys (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.6: System32\DRIVERS\mdc8021x.sys (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
mohfilt: System32\DRIVERS\mohfilt.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
MSSQL$MICROSOFTBCM: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050706.008\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050706.008\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton AntiVirus Firewall Monitor Service: "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: "C:\Program Files\Norton AntiVirus\SAVScan.exe" (manual start)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLAgent$MICROSOFTBCM: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B435E5F2-A384-4E66-9F62-DC44B767C5DC} (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20050610.011\symidsco.sys (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 39,656 bytes
Report generated in 0.157 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,the Qoologic Infection is still running,that explains how that survived!

It will take 2 more Scans to locate the missing pieces of the puzzle!

please download rkfiles.zip and unzip it to its own permanent folder.
http://skads.org/special/rkfiles.zip

Restart the computer in Safe Mode.

Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt

Download Track Qoo from Here

Download and Right Click the Zip folder and Select "Extract All"

Double Click on "Track qoo.vbs"

If you Antivirus has Script Blocking,you will get a Pop Up Windows asking you what to do

Allow this Entire Script to Run,its harmless!

Wait a few seconds and a notepad page will pop up,Copy&Paste those results in the next post!


In the Next post,place all these together

A Fresh HijackThis Startup list

Results of Track Qoo

Results of RKFiles

The reason for this is the Changing Names of these files!

Post back as soon as completed!


Edit:

This is too weird,3 of the 4 files from that folder made it,I recieved

sbss.exe

sa.dat

2768-sbss.exe

So far the Only Antivirus to detect anything has been Panda!

When you are in Safe Mode,try locating these files

c:\windows\system32\wjcysqn.exe

C:\WINDOWS\system32\wintask.exe

And the missing file from the sbss folder

Create a Folder by right clicking the desktop and selecting "New"-> Compressed(zipped)Folder

Once all are placed in the folder and before you close it-> Click "File"-> Click "Add a Password"-> Make the Password "infected" and try to submit it to the same site once back in Normal Mode!

If you cant locate,them dont worry about,I am just interested in those files!

Edited by Cretemonster, 11 July 2005 - 04:43 AM.

  • 0

#13
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ok as soon as I get to infected computer at about 5:00 PM I will perform the tasks you told me to perform.

btw the last file in the ssbs folder that you didn't recive was the unisall program for ssbs,i'll resend it when I get to that computer.
  • 0

#14
mr isp

mr isp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here are the logs you wanted, I am on a very tight time table and won't be home till this evening and I will submit the files then.

HijackThis Startup list


StartupList report, 7/13/2005, 9:21:02 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\DiBiase\Desktop\New Folder\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLHOS~1.EXE
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\PROGRA~1\COMMON~1\AOL\111446~1\EE\AOLServiceHost.exe
C:\Program Files\sbss\sbss.exe
C:\Program Files\Cas\Client\casclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\DiBiase\Desktop\New Folder\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\DiBiase\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PRISMSVR.EXE = "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
DeviceDiscovery = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
HostManager = C:\Program Files\Common Files\AOL\1114469196\EE\AOLHostManager.exe
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
Opware14 = "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
OpScheduler = "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
OP14 Reminder = "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
cfgmgr52 = RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
vidctrl = C:\WINDOWS\system32\vidctrl\vidctrl.exe
sbss Launcher = "C:\Program Files\sbss\sbss.exe"
exp = C:\WINDOWS\system32\exp
KavSvc = C:\WINDOWS\system32\hahjmk.exe reg_run
mxryit = c:\windows\system32\wjcysqn.exe r
AUNPS2 = RUNDLL32 AUNPS2.DLL,_Run@16
exp.exe = C:\WINDOWS\system32\exp.exe
WinTask driver = C:\WINDOWS\system32\wintask.exe
VBouncer = C:\PROGRA~1\VBouncer\VirtualBouncer.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sonic RecordNow! =
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
CAS Client = "C:\Program Files\Cas\Client\casclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {549B5CA7-4A86-11D7-A4DF-000874180BB3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - DiBiase.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Anti-Virus Web Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....204&clcid=0x409

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Microsoft RDP Client Control (redist)]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msrdp.ocx
CODEBASE = http://168.169.199.104/tsweb/msrdp.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: connwsp.dll (file MISSING)
Protocol #2: connwsp.dll (file MISSING)
Protocol #3: connwsp.dll (file MISSING)
Protocol #4: connwsp.dll (file MISSING)
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\rsvpsp.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: connwsp.dll (file MISSING)

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AOL Connectivity Service: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (autostart)
AOL TopSpeed Monitor: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (autostart)
AOL Spyware Protection Service: C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
bvrp_pci: \??\C:\WINDOWS\System32\drivers\bvrp_pci.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Dell TrueMobile 1300 USB2.0 WLAN Card Driver: System32\DRIVERS\PRISMA02.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelC51: System32\DRIVERS\IntelC51.sys (manual start)
IntelC52: System32\DRIVERS\IntelC52.sys (manual start)
IntelC53: System32\DRIVERS\IntelC53.sys (manual start)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.6: System32\DRIVERS\mdc8021x.sys (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
mohfilt: System32\DRIVERS\mohfilt.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
MSSQL$MICROSOFTBCM: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050706.008\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050706.008\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton AntiVirus Firewall Monitor Service: "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: "C:\Program Files\Norton AntiVirus\SAVScan.exe" (manual start)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLAgent$MICROSOFTBCM: C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B435E5F2-A384-4E66-9F62-DC44B767C5DC} (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20050610.011\symidsco.sys (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 39,525 bytes
Report generated in 0.218 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only





Results of Track Qoo


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRISMSVR.EXE"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1114469196\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"Opware14"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\Opware14.exe\""
"OpScheduler"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\OpScheduler.exe\""
"OP14 Reminder"="\"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\EregEng\\Ereg.exe\" -r \"C:\\Program Files\\ScanSoft\\OmniPagePro14.0\\EregEng\\ereg.ini\""
"cfgmgr52"="RunDLL32.EXE C:\\WINDOWS\\cfgmgr52.dll,DllRun"
"vidctrl"="C:\\WINDOWS\\system32\\vidctrl\\vidctrl.exe"
"sbss Launcher"="\"C:\\Program Files\\sbss\\sbss.exe\""
"exp"="C:\\WINDOWS\\system32\\exp"
"KavSvc"="C:\\WINDOWS\\system32\\hahjmk.exe reg_run"
"mxryit"="c:\\windows\\system32\\wjcysqn.exe r"
"AUNPS2"="RUNDLL32 AUNPS2.DLL,_Run@16"
"exp.exe"="C:\\WINDOWS\\system32\\exp.exe"
"WinTask driver"="C:\\WINDOWS\\system32\\wintask.exe"
"VBouncer"="C:\\PROGRA~1\\VBouncer\\VirtualBouncer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- mymnqgxq
{1a8539c2-27bc-4299-8564-365e5cbe1552}
C:\WINDOWS\system32\ikiwn.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton AntiVirus\NavShExt.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
Quicken Scheduled Updates.lnk
==============================
C:\Documents and Settings\DiBiase\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
Quicken Scheduled Updates.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
CTDetect.cpl Creative Technology Ltd.
CTDevCtrl.cpl Creative Technology Ltd.
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation





Results of RKFiles


C:\Documents and Settings\DiBiase\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\vdklwjychx.exe: UPX!
Finished
bye


Robert
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Allrighty,lets get you cleaned up!

Get Ewido Updated,One more Safe Mode Scan!

Attached is a Zip Folder,containing a Reg File,Download the Zip Folder to the Desktop,Right Click and Select Extract All!

Place the Reg File on your Desktop but dont run it yet!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Use the list below and Copy&Paste each entry into Pocket Killbox,Use the Instructions that follow

C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\vdklwjychx.exe
C:\WINDOWS\system32\vidctrl
C:\WINDOWS\system32\exp
C:\WINDOWS\system32\ikiwn.dll
C:\WINDOWS\system32\hahjmk.exe
c:\windows\system32\wjcysqn.exe
C:\WINDOWS\system32\AUNPS2.DLL
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\sbss



As you Paste each into Killbox,place a tick by any of these selections available

"Delete on Reboot"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Restart in Safe Mode and Run the Files through Killbox again to assure that none still exist!

This time,place a tick by any of these Selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"



Now,Double Click on the Reg File and allow it to Merge into the Registry


Scan,once more with Ewido and Post those results along with a fresh HijackThis log!

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP