Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win Fixer 2005 & other popups


  • Please log in to reply

#16
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please place HijackThis in a permanent folder,to do this.

Right Click the Desktop and Select "New">> "Folder">> Name it whatever you like!

Now locate the original Zip folder that HijackThis came in and place it in the New Folder-> Once in the New Folder Unzip and Extract all the files!

Update ewido please!

OK,Select Extract without confirmation on WinPFind and this next Zip I will have you download!

Delete the old LQFix you download earlier and download the one I have Attached to this post!

Again,unzip just like WinPFind-> Select Extract without confirmation!

You can also try double click the Zip folders and look up to the top left hand side of the folder and see if the Option to Extract All is there!

Once LQFix is Unzipped-> double click LQfix.exe!

Click Install and a new LQfix folder will be created!

Double Click on Clickthis.bat!

It will run its process and Reboot the PC!

Once the Command Prompt Screen pops up,wait a minute and Click OK to the Small Window that pops up!

When the Brute Force Uninstaller pops up click Exit!

Let windows finish loading!

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\System32\n?pdb.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it.

Highlight the list below and press Ctrl+C to Copy!

C:\Windows\bitmp32.exe
C:\WINDOWS\dinst.exe
C:\Windows\System32\AUNPS2.DLL
C:\Windows\System32\fhxrlk.exe
C:\Windows\System32\bitmp32.exe
C:\Program Files\owsc\morh.exe
C:\Program Files\owsc


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!

Restart in Safe Mode!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\kdikwqws.dll (file missing)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [o89Q3ES] bitmp32.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [vdvgkb] c:\windows\system32\fhxrlk.exe r

O4 - HKCU\..\Run: [Oqttonq] C:\WINDOWS\System32\n?pdb.exe

O4 - HKCU\..\Run: [Eeoe] C:\Program Files\owsc\morh.exe

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab

O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Scan the System again with Ewido-> Clean all it finds and Save the Report!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Restart Normal and try the Scan with Panda again!

Post back with these logs please

HijackThis

Find File.bat

WinPFind

Panda

Ewido

Attached Files


  • 0

Advertisements


#17
agales

agales

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I tried the Panda scan again and at about 25% into the scan, Panda and all other open windows were automatically shut down. I tried this 3 times. On the 4th try, I stopped the scan before it shut down and here is that report:

Incident Status Location

Adware:Adware/Transponder No disinfected c:\windows\system32\vmzrlkz.exe
Adware:adware/aurora No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:adware/purityscan No disinfected C:\DOCUMENTS AND SETTINGS\TRAVIS\LOCAL SETTINGS\TEMP\!update.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\bose.ico
Adware:adware/clkoptimizer No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Adware:adware/aurora No disinfected C:\WINDOWS\SYSTEM32\DrPMon.dll
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm
Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/enhsrch No disinfected C:\WINDOWS\dsr.dll
Adware:adware/wintools No disinfected C:\WINDOWS\hisistheurls.exe
Adware:adware/sidesearch No disinfected C:\WINDOWS\sepsd.bin
Adware:adware/webhancer No disinfected C:\WINDOWS\whCC-GIANT.exe
Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks
Adware:adware/downloadware No disinfected C:\PROGRAM FILES\MedCh
Adware:adware/myway No disinfected C:\PROGRAM FILES\MySearch
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\FLEOK
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\TRAVIS\FAVORITES\1111
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\TRAVIS\FAVORITES\Fun & Games
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
Spyware:spyware/media-motor No disinfected Windows Registry
Dialer:dialer.cgg No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\UPDATEMGR
Adware:adware/bigtrafficnet No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:51:05 PM, on 8/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
c:\windows\system32\vmzrlkz.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\SBInst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Quicken\bagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Travis\LOCALS~1\Temp\Rar$EX00.610\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usaflagfootball.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [doaird] c:\windows\system32\vmzrlkz.exe r
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Eeoe] C:\Program Files\owsc\morh.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GlobalSCAPE CuteFTP Server Home - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe



Find File.bat

Volume in drive C is DSK1_VOL1
Volume Serial Number is 1337-9480

Directory of C:\WINDOWS\System32

08/08/2005 09:22 AM 401,408 n?pdb.exe
1 File(s) 401,408 bytes

Directory of C:\Documents and Settings\Travis\Desktop



WinPFind


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com 9/10/2002 7:27:44 PM 3278 C:\WINDOWS\abiuninst.htm
UPX! 8/17/2005 12:21:58 AM 189859 C:\WINDOWS\dsr.exe
web-nex 8/15/2005 11:19:46 PM 4443 C:\WINDOWS\maakn.dll
PEC2 2/21/2005 10:29:10 AM 745984 C:\WINDOWS\MSVBVM60.DLL
PECompact2 2/21/2005 10:29:10 AM 745984 C:\WINDOWS\MSVBVM60.DLL
UPX! 8/7/2005 12:37:06 AM 52736 C:\WINDOWS\Nail.exe
UPX! 6/2/2002 9:38:20 AM 79360 C:\WINDOWS\opwncrytlmh.exe
PEC2 2/21/2005 10:29:12 AM 78336 C:\WINDOWS\SCRRUN.DLL
PECompact2 2/21/2005 10:29:12 AM 78336 C:\WINDOWS\SCRRUN.DLL
UPX! 3/24/2003 12:44:40 PM 6656 C:\WINDOWS\svcproc.exe
UPX! 6/8/2005 4:13:30 AM 226536 C:\WINDOWS\whCC-GIANT.exe

Checking %System% folder...
SAHAgent 8/5/2005 6:44:30 PM 35 C:\WINDOWS\SYSTEM32\2ss989sb.ini
SAHAgent 8/5/2005 6:44:30 PM 35 C:\WINDOWS\SYSTEM32\68df7ocb.ini
SAHAgent 6/9/2005 4:46:14 PM 35 C:\WINDOWS\SYSTEM32\70tovmto.ini
SAHAgent 6/9/2005 4:46:14 PM 35 C:\WINDOWS\SYSTEM32\bln02nqv.ini
69.59.186.63 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
209.66.67.134 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.97 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
66.63.167.77 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
web-nex 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
winsync 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
rec2_run 8/7/2005 9:44:26 AM 29696 C:\WINDOWS\SYSTEM32\datadx.dll
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 12/5/2003 1:46:08 PM 28160 C:\WINDOWS\SYSTEM32\DrPMon.dll
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb
SAHAgent 5/6/2004 4:01:42 PM 30070 C:\WINDOWS\SYSTEM32\fiz10
abetterinternet.com 5/8/2004 1:37:02 PM 30049 C:\WINDOWS\SYSTEM32\fiz3
abetterinternet.com 5/7/2004 3:01:34 PM 30010 C:\WINDOWS\SYSTEM32\fiz7
SAHAgent 5/6/2004 7:53:30 PM 30095 C:\WINDOWS\SYSTEM32\fiz8
SAHAgent 5/6/2004 6:12:38 PM 30026 C:\WINDOWS\SYSTEM32\fiz9
SAHAgent 6/14/2005 10:55:46 AM 2889 C:\WINDOWS\SYSTEM32\gah95on6.ini
UPX! 8/22/2001 8:00:00 PM 86030 C:\WINDOWS\SYSTEM32\msdjgk.dll
UPX! 8/22/2001 8:00:00 PM 170496 C:\WINDOWS\SYSTEM32\msiaih.dll
KavSvc 8/3/2005 10:29:08 PM 34816 C:\WINDOWS\SYSTEM32\neeukyp.dll
69.59.186.63 8/3/2005 10:29:08 PM 34816 C:\WINDOWS\SYSTEM32\neeukyp.dll
209.66.67.134 8/3/2005 10:29:08 PM 34816 C:\WINDOWS\SYSTEM32\neeukyp.dll
testpopup 8/3/2005 10:29:08 PM 34816 C:\WINDOWS\SYSTEM32\neeukyp.dll
web-nex 8/3/2005 10:29:08 PM 34816 C:\WINDOWS\SYSTEM32\neeukyp.dll
yourkey 8/3/2005 10:29:08 PM 34816 C:\WINDOWS\SYSTEM32\neeukyp.dll
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 8/5/2005 6:45:06 PM 3585 C:\WINDOWS\SYSTEM32\ssv0gqnu.ini
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

abetterinternet.com 6/7/2005 11:28:26 AM 18908 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010011.backup
abetterinternet.com 6/11/2005 1:00:14 AM 18884 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010017.backup
abetterinternet.com 6/11/2005 1:00:18 AM 18856 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010022.backup
abetterinternet.com 6/11/2005 1:00:22 AM 18815 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010047.backup

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/18/2005 12:26:38 PM 2048 C:\WINDOWS\bootstat.dat
H 6/28/2005 3:34:06 AM 0 C:\WINDOWS\inf\oem16.inf
H 6/30/2005 12:13:36 AM 0 C:\WINDOWS\LastGood\INF\oem17.inf
H 6/30/2005 12:13:36 AM 0 C:\WINDOWS\LastGood\INF\oem17.PNF
SH 8/16/2005 11:59:16 PM 5 C:\WINDOWS\system32\AuxDrv32ds_d.ods
SH 8/8/2005 9:22:10 AM 401408 C:\WINDOWS\system32\n?pdb.exe
SH 7/13/2005 4:04:00 PM 401408 C:\WINDOWS\system32\r?ndll.exe
H 8/18/2005 12:30:54 PM 1024 C:\WINDOWS\system32\config\DEFAULT.LOG
H 8/18/2005 12:30:20 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
H 8/18/2005 12:30:54 PM 1024 C:\WINDOWS\system32\config\SECURITY.LOG
H 8/18/2005 12:58:16 PM 1024 C:\WINDOWS\system32\config\SOFTWARE.LOG
H 8/18/2005 12:31:48 PM 1024 C:\WINDOWS\system32\config\SYSTEM.LOG
H 8/13/2005 10:52:22 PM 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
SH 8/16/2005 10:14:12 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OPEF4H6V\desktop.ini
SH 8/16/2005 10:14:12 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RATCDEXY\desktop.ini
SH 8/16/2005 10:14:12 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S56JW9AB\desktop.ini
SH 8/16/2005 10:14:12 AM 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\T68U8FJD\desktop.ini
SH 8/18/2005 12:30:22 PM 192 C:\WINDOWS\Tasks\RUTASK.job
H 8/18/2005 12:26:40 PM 6 C:\WINDOWS\Tasks\SA.DAT
H 8/17/2005 4:00:02 PM 408 C:\WINDOWS\Tasks\{713C0A03-063F-41AA-856A-DD686B67BE55}_AMDTHUNDERBIRD_Travis.job
H 8/18/2005 9:00:02 AM 408 C:\WINDOWS\Tasks\{A51C1FE3-C0FA-4BCC-B8A0-9457E115027D}_AMDTHUNDERBIRD_Travis.job
H 8/12/2005 4:00:02 PM 408 C:\WINDOWS\Tasks\{DC4056AE-CA89-49EC-8A32-8ABC5C8B69F2}_AMDTHUNDERBIRD_Travis.job
SH 8/4/2005 7:07:52 PM 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
SH 8/4/2005 7:07:52 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
SH 8/4/2005 7:07:52 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0NY9K5Q1\desktop.ini
SH 8/4/2005 7:07:52 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\29YF47AL\desktop.ini
SH 8/4/2005 7:07:52 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KN4NQRCZ\desktop.ini
SH 8/4/2005 7:07:52 PM 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S5OJG327\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/23/2001 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/22/2004 11:44:42 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 12/22/2003 9:28:12 AM 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 8/26/1996 3:12:00 AM 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Pinnacle Systems GmbH 12/13/2000 8:05:00 PM 73728 C:\WINDOWS\SYSTEM32\RALCtrl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 8:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/17/2005 12:45:34 AM 1766 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/11/2004 7:35:52 PM 1828 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 4.0.8.lnk
5/24/2005 10:59:14 PM 1814 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
2/4/2005 9:44:40 PM 1739 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
5/15/2005 11:52:48 PM 882 C:\Documents and Settings\Travis\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
5/24/2005 11:25:18 PM 684 C:\Documents and Settings\Travis\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

Checking files in %USERPROFILE%\Application Data folder...
6/17/2005 12:43:32 AM 1766 C:\Documents and Settings\Travis\Application Data\AdobeDLM.log
6/17/2005 12:43:32 AM 0 C:\Documents and Settings\Travis\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mggqms
{8c114fc1-9bb3-4f61-9f1f-e05e3db7a4ae} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mggqys
{d2b54d61-d11f-40c7-8933-eebd600a8ab0} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mggqysny
{cf8f2a56-6e1f-4c67-8598-e13d5c7ee661} = C:\WINDOWS\System32\irrnk.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
PCTools Site Guard = C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
MenuText = Create Mobile Favorite... : C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}
Web Assistant = C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbHostIE.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PCLEPCI C:\PROGRA~1\Pinnacle\PPE\ppe.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
SpamBlocker C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
Spam Blocker for Outlook Express C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\SBInst.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
doaird c:\windows\system32\vmzrlkz.exe r

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MoneyAgent "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
H/PC Connection Agent "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
Mozilla Quick Launch "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
updateMgr C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
Eeoe C:\Program Files\owsc\morh.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe C:\WINDOWS\Nail.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/18/2005 1:01:49 PM



Ewido:

I have done the Ewido scan twice. Once the scan is complete, the button that I should click to save the report and the one to view the report is grayed out. The only button that I can click is the Pause button. The Ewido scan shows 16 infected objects.


Anita
  • 0

#18
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please make sure that Microsoft Antispywares Real-Time Monitoring is turned off!

There shoud be an Icon in the taskbar,near the clock!

If any others are running,please turn them off as well!

Spyware Doctor
SpamBlockerUtility


Copy&Paste the text in the Code Box to a blank Notepad Page and Save it to your Desktop-> Name it Rem.reg-> Dont use this until I ask,please!

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\UPDATEMGR]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mggqms]
 
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mggqys]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mggqysny]

[-HKEY_CLASSES_ROOT\CLSID\{cf8f2a56-6e1f-4c67-8598-e13d5c7ee661}]

[-HKEY_CLASSES_ROOT\CLSID\{8c114fc1-9bb3-4f61-9f1f-e05e3db7a4ae}]

[-HKEY_CLASSES_ROOT\CLSID\{d2b54d61-d11f-40c7-8933-eebd600a8ab0}]


Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

System Startup Service

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!


Download dsrfix.zip
http://www.atribune....oads/dsrfix.zip
Save it to your desktop.

Unzip dsrfix.zip and extract it to your desktop.
This will create a new folder on your desktop named dsrfix.
Do Not open that folder yet.


Please download APT
http://www.diamondcs...ex.php?page=apt
Unzip the contents to a new folder on your desktop.


Highlight the list below and press Ctrl+C to Copy!

c:\windows\system32\vmzrlkz.exe
C:\WINDOWS\SYSTEM32\fiz10
C:\WINDOWS\SYSTEM32\fiz3
C:\WINDOWS\SYSTEM32\fiz7
C:\WINDOWS\SYSTEM32\fiz8
C:\WINDOWS\SYSTEM32\fiz9
C:\WINDOWS\SYSTEM32\gah95on6.ini
C:\WINDOWS\SYSTEM32\msdjgk.dll
C:\WINDOWS\SYSTEM32\msiaih.dll
C:\WINDOWS\SYSTEM32\neeukyp.dll
C:\WINDOWS\SYSTEM32\bose.ico
C:\WINDOWS\SYSTEM32\datadx.dll
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\System32\irrnk.dll
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\winupdt.008
C:\WINDOWS\SYSTEM32\2ss989sb.ini
C:\WINDOWS\SYSTEM32\68df7ocb.ini
C:\WINDOWS\SYSTEM32\70tovmto.ini
C:\WINDOWS\SYSTEM32\bln02nqv.ini
C:\WINDOWS\SYSTEM32\ssv0gqnu.ini
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\SYSTEM32\FLEOK
C:\WINDOWS\SYSTEM32\nsvsvc
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010011.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010017.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010022.backup
C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20050611-010047.backup
C:\WINDOWS\Tasks\RUTASK.job
C:\WINDOWS\abiuninst.htm
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\dsr.dll
C:\WINDOWS\dsr.exe
C:\WINDOWS\maakn.dll
C:\WINDOWS\opwncrytlmh.exe
C:\WINDOWS\whCC-GIANT.exe
c:\windows\SvcProc.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\hisistheurls.exe
C:\WINDOWS\sepsd.bin
C:\WINDOWS\whCC-GIANT.exe
C:\PROGRAM FILES\joystick networks
C:\PROGRAM FILES\MedCh
C:\PROGRAM FILES\MySearch
C:\Program Files\owsc\morh.exe
C:\Program Files\owsc
C:\DOCUMENTS AND SETTINGS\TRAVIS\FAVORITES\1111
C:\DOCUMENTS AND SETTINGS\TRAVIS\FAVORITES\Fun & Games
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
C:\DOCUMENTS AND SETTINGS\TRAVIS\LOCAL SETTINGS\TEMP\!update.exe


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Dont Click Delete just yet!


Open the APT folder click on apt.exe and search in the window for
c:\windows\system32\vmzrlkz.exe

Select Click Kill3


Immedialtly go to Killbox and Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!

Restart in Safe Mode and Be sure Windows is Showing Hidden Files!
http://www.bleepingc...ut62.html#winxp


Locate Rem.reg and Double Click to Execute

Allow it to merge into the registry!


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [doaird] c:\windows\system32\vmzrlkz.exe r

O4 - HKCU\..\Run: [Eeoe] C:\Program Files\owsc\morh.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

sc delete SvcProc


Now open the folder dsrfix on your desktop.

Double-Click on dsrfix.bat

A window will pop up briefly then close, this is normal.


From the LQFix folder again-> Doubleclick LQfix.bat that you saved on your desktop before.

A doswindow will open and close again, this is normal.


Now,Navigate to C:\Windows\System32

Search through the System32 folder for these 2 files but dont mistake them for the legit System files they are trying to appear as!

The trick to locating these is to use the Mouse pointer and place it over the suspect file!


The good file will have Date Created-> Size-> Description-> Version and Company Name(Microsoft)

The bad file will only display Date Created and Size!

n?pdb.exe<- The ? can be anything!

The file was created on 08/08/2005 @ 9:22 AM

The size of the file is 401,408 Bytes or 392 Kb

r?ndll.exe

The file was created on 7/13/2005 @ 4:04:00 PM 401408

The size of the file is 401,408 Bytes or 392 Kb


The good file is RunDll32,not just rundll!


Now locate the Hoster and Run it once more just as you did before!


Restart back in Normal Mode and try the Panda Scan once more!


Post back with a fresh HijackThis log and the report from Panda!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP