Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer/adware problems


  • Please log in to reply

#31
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Okay, thanks for the help. Not sure how to disable Symantec.

Also, are you sure about the mass mailing. I am sure I would have heard from someone if they saw strange email originating from my computer. I do alot of email and am on several lists.
  • 0

Advertisements


#32
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry for being so bleak last night,I was beat!

OK,the MWAV Scanner works of the Kaspersky Database and the entries below are from the MWAV Scan you did!

Email-Worm.Win32.NetSky.b

Email-Worm.Win32.NetSky.r

Email-Worm.Win32.NetSky.y

Email-Worm.Win32.NetSky.aa

Email-Worm.Win32.NetSky.x

Email-Worm.Win32.Sobig.f

Email-Worm.Win32.Mydoom.a

Email-Worm.Win32.Swen



Norton is usually pretty good at getting these and stopping them from mailing out!


All we can do is hope that they were stopped!


To Disable Symantec-> Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Locate all entries Norton or Symantec and Uncheck them!

Click Apply-> OK-> Exit without Restart!

Look in the Taskbar by the clock and locate any Norton Icons!

Right Click and Select Disable!

Now Download and Install Kaspersky!

Make sure to get the Extended Database as described!

Run the scan just as the Instructions are laid out!

Ill be right here if you need me!

Feel free to PM if necessary!
  • 0

#33
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Okay, finally done! A few things...The extended data base was not an available option as described. Has the program been updated? Also, I did not see your post and just disabled Norton by unchecking autoprotect and script blocking in the options section. I ran Kaspersky as described but was unable to copy the report. I can still access the report within the program but cannot save or copy it. Below is the latest HJT log.

Thanks for the help,
Charlie



Logfile of HijackThis v1.99.1
Scan saved at 10:02:06 PM, on 8/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SQLServerAgent - Unknown owner - C:\MSSQL7\binn\sqlagent.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#34
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thats weird about the Extended Database,dont think I have heard of that yet!

OK,lets check and see how we did!

Please get Ewido Updated with the latest definitions!

Delete the old version of WinPFind and get the latest version!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode!

Scan the entire System with Ewido-> Clean all it finds-> Save a Report!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from WinPFind-> Ewido and Panda!
  • 0

#35
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
finally done! Here are the results. It looks like I may be clean.


Logfile of HijackThis v1.99.1
Scan saved at 9:55:29 AM, on 8/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SQLServerAgent - Unknown owner - C:\MSSQL7\binn\sqlagent.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:54:10 PM, 8/20/2005
+ Report-Checksum: 8D117C92

+ Scan result:

No infected objects found.


::Report End



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/5/2005 8:21:36 AM 536313856 C:\WINNT\MEMORY.DMP
FSG! 6/5/2005 8:21:36 AM 536313856 C:\WINNT\MEMORY.DMP
aspack 6/5/2005 8:21:36 AM 536313856 C:\WINNT\MEMORY.DMP

Checking %System% folder...
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINNT\SYSTEM32\locate.com
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 6/19/2003 3:05:04 PM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 7/26/2000 6:00:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H 8/20/2005 7:27:38 PM 54156 C:\WINNT\QTFont.qfn
H 8/20/2005 7:36:26 PM 554014 C:\WINNT\ShellIconCache
S 8/20/2005 7:37:00 PM 268 C:\WINNT\CSC\00000001
S 8/20/2005 7:20:00 PM 256 C:\WINNT\CSC\00000002
S 8/18/2005 7:22:34 PM 256 C:\WINNT\CSC\csc1.tmp
H 8/14/2005 10:06:32 AM 10820 C:\WINNT\HELP\nocontnt.GID
H 7/21/2005 9:10:42 AM 0 C:\WINNT\INF\oem23.inf
SH 8/8/2005 9:28:04 AM 401408 C:\WINNT\SYSTEM32\??anregw.exe
H 8/20/2005 7:22:36 PM 1024 C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG
H 8/20/2005 7:41:34 PM 1024 C:\WINNT\SYSTEM32\CONFIG\SAM.LOG
H 8/20/2005 7:39:36 PM 1024 C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG
H 8/20/2005 7:58:54 PM 1024 C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG
SH 8/13/2005 10:17:00 PM 336 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\User\4a642520-059b-48fd-a043-ab02278311a2
SH 8/13/2005 10:17:00 PM 24 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
H 8/20/2005 7:37:00 PM 6 C:\WINNT\TASKS\SA.DAT
H 8/19/2005 12:05:24 AM 390 C:\WINNT\TASKS\{F897AA24-BDC3-11D1-B85B-00C04FB93981}_NEWTON_Charlie.job

Checking for CPL files...
Microsoft Corporation 7/26/2000 1:00:00 PM 67344 C:\WINNT\SYSTEM32\ACCESS.CPL
Microsoft Corporation 6/19/2003 3:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Teleca Software Solutions AB 1/12/2004 12:05:52 PM 344064 C:\WINNT\SYSTEM32\ecsepm.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2/20/2001 1:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 7/26/2000 6:00:00 PM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 10/30/2001 8:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems 8/29/2002 10:10:26 AM 229479 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 7/26/2000 4:37:08 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Intel Corporation 5/11/2000 8:55:00 AM 720896 C:\WINNT\SYSTEM32\prosetp.cpl
Apple Computer, Inc. 7/10/2002 10:01:38 PM 295936 C:\WINNT\SYSTEM32\QuickTime.cpl
Symantec Corporation 11/5/1999 6:58:12 PM 143360 C:\WINNT\SYSTEM32\s32lucp1.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 3:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 7/26/2000 6:00:00 PM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 8:14:40 AM 292352 C:\WINNT\SYSTEM32\DLLCACHE\inetcpl.cpl
IBM Corporation 9/23/1999 7:44:36 PM 94208 C:\WINNT\SYSTEM32\DLLCACHE\mwcpa32.cpl
Microsoft Corporation 7/26/2000 6:00:00 PM 41232 C:\WINNT\SYSTEM32\DLLCACHE\nwc.cpl
Microsoft Corporation 7/26/2000 4:37:08 PM 41232 C:\WINNT\SYSTEM32\DLLCACHE\odbccp32.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\DLLCACHE\wuaucpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/21/2005 3:23:46 PM 1575 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
4/8/2003 10:32:18 AM 1685 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
9/1/2003 2:22:42 PM 746 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-B Notebook Adapter Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
8/15/2005 11:05:10 AM 533 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
11/23/2004 3:33:04 PM 0 C:\Documents and Settings\Administrator\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{969223c0-26aa-11d0-90ee-444553540000}
= pgpmn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{969223c0-26aa-11d0-90ee-444553540000}
= pgpmn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CC8D2568-3AC5-459F-851F-6F19A89CBCB1}
= C:\Program Files\Common Files\ESRI\esriShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\Spybot\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
PRPCMonitor PRPCUI.exe
RxUser C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
madexe C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
SymTray - Norton SystemWorks C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

StatusClient C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
HPLJ Config C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
QD FastAndSafe
KAVPersonal50 "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
SymTray - Norton SystemWorks C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
\tools.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key -{ZR;^m6
FileName0 C:\WINNT\system32\RSACi.rat
WarnOnOff 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 1
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
v 4
s 4
n 4
l 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
\tools.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
aqad.exe C:\WINNT\system\aqad.exe


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/21/2005 4:17:09 AM



<PANDA>
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0
  • 0

#36
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,just a little CleanUp left!

I think I see the worm that started all this!

C:\Documents and Settings\All Users\Local Settings\Tools\tools.exe

From what I can tell,this is the worm that started it all!

So lets do some looking!

Restart in Safe Mode and be sure Windows is Showing Hidden Files!
http://www.bleepingc...62.html#win2000

See if you can actually see any of these

C:\Documents and Settings\All Users\Local Settings\Tools\tools.exe

C:\WINNT\system\aqad.exe<- System folder,not the System32 folder

This next one is tricky because it tries to make itself look like a legit system file!

C:\WINNT\SYSTEM32\??anregw.exe<- The ? can be anything!

Look in the System32 folder for scanregw.exe

When you place the pointer over the file,the good one will display these properties!

Description

Company Name

File Version

Date Created

Size


The bad file will only display

Date Created<- Which is 8/8/2005 @ 9:28:04 AM

Size<- Which is 392 KB

Once you locate any of these,please delete them and empty the recycle bin!

Make sure this folder is gone also!

C:\Documents and Settings\All Users\Local Settings\Tools

Post back and let me know what you found?

Edited by Cretemonster, 21 August 2005 - 08:30 AM.

  • 0

#37
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Only found scanregw.exe, which appeared to be the bad one so deleted it. The tools.exe files and folder were previously deleted but not found this time. Did not find the aqad.exe or the good scanregw.exe files.
  • 0

#38
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
One last thing to weed out the old dead registry entries!

Copy the text in the code box to a blank notepad page and save it to your desktop as rem.reg

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"tools.exe"=-
"aqad.exe"=-

Double Click rem.reg and allow it to merge into the registry!

If you have never run a good registry cleaner on the PC,heres one that I personally like!

RegSupreme Pro
http://majorgeeks.co..._Pro_d4256.html

Once downloaded and launched,Click Yes to Update the Cache-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe!

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...p2002/hosts.htm

Made Easy
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?
  • 0

#39
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Okay, done. I am running win2000 so the system restore and msconfig are not available. What tools do you recommend keeping?
  • 0

#40
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Gimmie a list of everything you are unsure whether to keep or not!

Also I recommend weeding out all old emails you have laying around!

Edited by Cretemonster, 21 August 2005 - 07:28 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP