Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i thought i beat this - auroa/nail.exe problems

Started by gap22 , Jul 08 2005 06:04 PM

  • Please log in to reply

#16
Metallica
Posted 14 July 2005 - 03:23 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
It gives me great pleasure to say that is one clean log. :tazz:

Is your computer behaving as it should now?

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

Advertisements

#17
gap22
Posted 15 July 2005 - 01:51 PM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
thank you, thank you, thank you.

i do not get constant pop ups anymore.

BUT AVG comes up pretty often saying they detected a trogan horse (normally knnauj.exe or qoulogic.exe (i might not have the spelling right on the 2nd one).

We hit heal and nothing bad appears to happen but i don't think it's completely gone. any suggestions
  • 0

#18
Metallica
Posted 16 July 2005 - 02:02 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Let's see where they are hiding.
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If your Antivirus has Script Blocking, you will get a prompt asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,
  • 0

#19
gap22
Posted 16 July 2005 - 02:11 PM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
i'm having trouble with the track qoo link. every time i hit it i get a message that i can't see that area of the board
  • 0

#20
Metallica
Posted 17 July 2005 - 03:02 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'll attach it as a Text file to this post.

All you will have to do is rename it to Track qoo 1.vbs

Regards,

Attached Files


  • 0

#21
gap22
Posted 17 July 2005 - 09:59 PM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
two posts attached. thank you for your continued help.


Track Qoo file:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"PCTVOICE"="pctspk.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"MCAgentExe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VirusScan Online"="c:\\program files\\mcafee.com\\vso\\mcvsshld.exe /disabled"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- gttykntt
{523d3c8a-5d13-4727-871d-37b8bdb2806f}
C:\WINDOWS\System32\rqqkv.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
KODAK Picture Transfer Software.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\Gregg\Start Menu\Programs\Startup

DESKTOP.INI
KODAK Picture Transfer Software.lnk
Microsoft Office.lnk
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bdeadmin.cpl Borland Software Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
NCPA.CPL Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_02.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
STAC97.cpl SigmaTel Inc.
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

WinpFind:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com C:\WINDOWS\abiuninst.htm
abetterinternet.com C:\WINDOWS\ahhnv.dll
web-nex C:\WINDOWS\ahhnv.dll
UPX! C:\WINDOWS\nxcaaevifrb.exe
buddy.exe C:\WINDOWS\nxcaaevifrb.exe

Checking %System% folder...
aspack C:\WINDOWS\system32\crraqnr.exe
PEC2 C:\WINDOWS\system32\DFRG.MSC
UPX! C:\WINDOWS\system32\locate.com
aspack C:\WINDOWS\system32\qbbuy.dat
Umonitor C:\WINDOWS\system32\rasdlg.dll
aspack C:\WINDOWS\system32\rqqkv.dll
KavSvc C:\WINDOWS\system32\rqqkv.dll
69.59.186.63 C:\WINDOWS\system32\rqqkv.dll
209.66.67.134 C:\WINDOWS\system32\rqqkv.dll
web-nex C:\WINDOWS\system32\rqqkv.dll
yourkey C:\WINDOWS\system32\rqqkv.dll
Umonitor C:\WINDOWS\system32\_002484_.tmp.dll

Checking %System%\Drivers folder and sub-folders...
UPX! C:\WINDOWS\system32\drivers\avg7core.sys
FSG! C:\WINDOWS\system32\drivers\avg7core.sys
aspack C:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/22/2005 C:\WINDOWS\Thumbs.db
6/2/2005 C:\WINDOWS\Help\update.GID
6/27/2005 C:\WINDOWS\INF\oem25.inf
6/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_18.cab
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
6/3/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\DESKTOP.INI
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0L2B4TYZ\desktop.ini
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\45YR0L6R\desktop.ini
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\81QBOPU3\desktop.ini
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXQZST6N\desktop.ini
7/12/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\6610d8ef-1d10-4034-bb6e-7b314adaf4b4
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\99214064-f831-4597-acdf-cc9a49e6b3e7
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\f77418e1-9026-41cc-a067-a37bbb51cc17
7/9/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\fbd539f1-f5a7-4f0e-a144-df1026c37e5f
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/17/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
*\shellex\ContextMenuHandlers\gttykntt
{523d3c8a-5d13-4727-871d-37b8bdb2806f} = C:\WINDOWS\System32\rqqkv.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIModeChange Ati2mdxx.exe
PCTVOICE pctspk.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
MCAgentExe C:\Program Files\McAfee.com\Agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
VirusScan Online c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#22
Metallica
Posted 18 July 2005 - 12:19 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Found them.

Let's clean this out.

Copy the part in bold below into notepad and save it as Appid.reg
Set Filetype to "all files"

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gttykntt]

[-HKEY_CLASSES_ROOT\CLSID\{523d3c8a-5d13-4727-871d-37b8bdb2806f}]


Doubleclick that file and confirm you want to merge it with the registry.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\abiuninst.htm
C:\WINDOWS\ahhnv.dll
C:\WINDOWS\nxcaaevifrb.exe
C:\WINDOWS\system32\crraqnr.exe
C:\WINDOWS\system32\qbbuy.dat
C:\WINDOWS\system32\rasdlg.dll
C:\WINDOWS\system32\rqqkv.dll
C:\WINDOWS\system32\_002484_.tmp.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Post a new HijackThis log when you are done.

Regards,
  • 0

#23
gap22
Posted 18 July 2005 - 09:33 PM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
all steps followed. let me know what's next....you rock!


Logfile of HijackThis v1.99.1
Scan saved at 8:31:26 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gregg\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} - https://fastconnectk...flowActiveX.CAB
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#24
Metallica
Posted 19 July 2005 - 02:37 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Your log is clean. :tazz:

The only thing that worries me a bit is that windows update is running twice, yet you are still at SP1

Please follow the instructions here:
http://www.microsoft...whattoknow.mspx

Let me know if everything works OK.
  • 0

#25
gap22
Posted 23 July 2005 - 10:52 AM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
no pop up adds or warning the last day. Starting to feel good about it!

As for windows, i get this error every time i go out to the page to do a system scan:

The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.

i've sent microsoft a message asking how to fix as i would like to get onto SP2 to better protect my computer.

any other suggestions. thank you again for all the help. this site truly is great!
  • 0

Advertisements

#26
gap22
Posted 23 July 2005 - 11:07 AM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
spoke too soon. qloogic is back. also - something called common.avj, or common.bvj (might have extensions wrong) kept popping up as a trojan horse.

hjt log looks no different then the last i posted (except of a microsoft tool item i installed from their website to report my issues with trying to scan the system.

arghhhh. this is a pesty little b$@^^@#$!@#!
  • 0

#27
Metallica
Posted 23 July 2005 - 01:18 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you try and get SP2 first?

http://windowsupdate.microsoft.com/

Or preferably this method:
http://www.winsupers..._slipstream.asp

After you did that run "WinPFind" and "Track qoo.vbs" again and post the logs.

Regards,
  • 0

#28
gap22
Posted 23 July 2005 - 02:26 PM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
i can't get this done today and leave tomorrow for a week. i'll post the results 7/30. please keep this link open.

fyi - the last time i tried to install sp2 i had issues and had to restore the system. fun, fun, fun.
  • 0

#29
gap22
Posted 23 July 2005 - 05:03 PM

gap22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
SP2 went in today successfully - yes!!!!

here is the winpfind log:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 C:\WINDOWS\system32\DFRG.MSC
UPX! C:\WINDOWS\system32\locate.com
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\ntdll.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...
UPX! C:\WINDOWS\system32\drivers\avg7core.sys
FSG! C:\WINDOWS\system32\drivers\avg7core.sys
aspack C:\WINDOWS\system32\drivers\avg7core.sys
PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/22/2005 C:\WINDOWS\Thumbs.db
6/2/2005 C:\WINDOWS\Help\update.GID
6/27/2005 C:\WINDOWS\INF\oem25.inf
7/23/2005 C:\WINDOWS\LastGood.Tmp\INF\oem29.inf
7/23/2005 C:\WINDOWS\LastGood.Tmp\INF\oem29.PNF
6/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_18.cab
7/23/2005 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/23/2005 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/23/2005 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/23/2005 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/23/2005 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/23/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
6/3/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\DESKTOP.INI
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0L2B4TYZ\desktop.ini
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\45YR0L6R\desktop.ini
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\81QBOPU3\desktop.ini
7/15/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WXQZST6N\desktop.ini
7/12/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\6610d8ef-1d10-4034-bb6e-7b314adaf4b4
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\99214064-f831-4597-acdf-cc9a49e6b3e7
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\f77418e1-9026-41cc-a067-a37bbb51cc17
7/9/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\fbd539f1-f5a7-4f0e-a144-df1026c37e5f
7/15/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATIModeChange Ati2mdxx.exe
PCTVOICE pctspk.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
MCAgentExe C:\Program Files\McAfee.com\Agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
VirusScan Online c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

================================================================================================================================================================
Tracking Qoo
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"PCTVOICE"="pctspk.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"MCAgentExe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McUpdate.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"VirusScan Online"="c:\\program files\\mcafee.com\\vso\\mcvsshld.exe /disabled"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
KODAK Picture Transfer Software.lnk
Microsoft Office.lnk
==============================
C:\Documents and Settings\Gregg\Start Menu\Programs\Startup

DESKTOP.INI
KODAK Picture Transfer Software.lnk
Microsoft Office.lnk
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bdeadmin.cpl Borland Software Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
MAIN.CPL Microsoft Corporation
mmsys.cpl Microsoft Corporation
NCPA.CPL Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
plugincpl131_02.cpl Sun Microsystems
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
STAC97.cpl SigmaTel Inc.
sysdm.cpl Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


let me know what to get rid of....thank you - i can't say it enough
  • 0

#30
Metallica
Posted 24 July 2005 - 03:28 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I don't see anything bad anymore.

Can you let me know if and when you get another alert?

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP