Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijacked desktop


  • This topic is locked This topic is locked

#16
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.

PSGuard

4. While still in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

5. Delete the folders. (if present)

C:\Program Files\PSGuard

6. Delete the files. (if present)

C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\intell32.exe

7. Reboot and post a new Hijackthis log here in a reply.
  • 0

Advertisements


#17
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Results, there was not a PSGuard program to remove, but I know it is there because ewido found it upon reboot. Also, I deleted msole32.exe but there was not an intell32.exe for me to delete. Somehow it's location is hiding from me. When ewido finds PSGuard upon reboot, it says the file is intell32.exe and the path is C:\windows\system 32. Why can't I find it? View hidden files and uncheck hidden folder were already checked and unchecked.


Logfile of HijackThis v1.99.1
Scan saved at 8:54:12 AM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:80
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\INTERNETPC\EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P36 "\\INTERNETPC\EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124547529435
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pillaribros.com
O17 - HKLM\Software\..\Telephony: DomainName = pillaribros.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pillaribros.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\K5IBO9EN\CWShredder[1].exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#18
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

4. Delete the folders. (if present)

C:\Program Files\PSGuard\

5. Delete the files. (if present)

C:\WINDOWS\system32\intell32.exe

6. Reboot and post a new Hijackthis log here in a reply.
  • 0

#19
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I downloaded spyware doctor and now I can't get rid of it.


Logfile of HijackThis v1.99.1
Scan saved at 1:45:53 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:80
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\INTERNETPC\EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P36 "\\INTERNETPC\EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124547529435
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pillaribros.com
O17 - HKLM\Software\..\Telephony: DomainName = pillaribros.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pillaribros.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\K5IBO9EN\CWShredder[1].exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#20
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Can you run smitrem now I think we are going to need it to get rid of Psgaurd.
  • 0

#21
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Smitrem still won't run. I think I'm F....'d.

Thanks for all your help to this point.
  • 0

#22
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#23
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
06:57 AM: |··· Start of Session, Thursday, 25 August 2005 ···|
06:57 AM: Spy Sweeper 3.0.0 (Build 129) started
06:58 AM: Processing Startup Alerts
06:58 AM: Allowed Startup entry: \\INTERNETPC\EPSON Stylus C82 Series
06:58 AM: Sweep initiated using definitions version 365
06:58 AM: Sweeping memory for active spyware.
06:58 AM: Memory sweep has completed. Elapsed time 00:00:01
06:58 AM: Registry sweep initiated.
06:58 AM: Found: 1 Alexa Toolbar registry traces.
06:58 AM: Registry sweep completed. Elapsed time 00:00:03
06:58 AM: Full sweep on all local drives initiated.
06:58 AM: Now sweeping drive C:
07:08 AM: Found Adware: Liveperson, version 1, c:\program files\primavera\expedition\userdic.tlx
07:15 AM: Found: 1 file traces.
07:15 AM: Full Sweep has completed. Elapsed time 00:16:43
54,125 files swept
2 spyware traces located
07:22 AM: Removal process initiated
07:22 AM: Quarantining: Alexa Toolbar
07:22 AM: Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\extensions\cmdmapping||{c95fe080-8f5d-11d2-a20b-00aa003c157a}
07:22 AM: Quarantining: Liveperson
07:22 AM: File: c:\program files\primavera\expedition\userdic.tlx
07:22 AM: Cleaning Traces
07:22 AM: Removing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\extensions\cmdmapping|| ({c95fe080-8f5d-11d2-a20b-00aa003c157a})
07:22 AM: Removing file: c:\program files\primavera\expedition\userdic.tlx
07:22 AM: Removal process completed. Elapsed time 00:00:00
2 items (2 traces) quarantined.
  • 0

#24
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Can you post a new Hijackthis log here in a reply from normal mode.
  • 0

#25
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:04:51 PM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:80
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\INTERNETPC\EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P36 "\\INTERNETPC\EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124547529435
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pillaribros.com
O17 - HKLM\Software\..\Telephony: DomainName = pillaribros.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pillaribros.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\K5IBO9EN\CWShredder[1].exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements


#26
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
You sure that log was made in normal mode its missing alot of processes?
  • 0

#27
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Yes, it was in normal mode, here's another one just in case...

Logfile of HijackThis v1.99.1
Scan saved at 12:16:44 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:80
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\INTERNETPC\EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P36 "\\INTERNETPC\EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124547529435
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pillaribros.com
O17 - HKLM\Software\..\Telephony: DomainName = pillaribros.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pillaribros.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\K5IBO9EN\CWShredder[1].exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#28
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Copy & Paste WinPFind.txt and post it into a new post here in a reply.
  • 0

#29
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here it is in safe mode:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Version:
Internet Explorer Version:

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/26/2005 12:49:34 PM HS 402653184 \pagefile.sys
8/25/2005 4:35:08 PM H 1024 \Documents and Settings\All Users\NTUSER.DAT.LOG
8/2/2005 8:09:34 AM HS 4608 \Documents and Settings\All Users\DRM\drmv2.sst
8/2/2005 8:09:32 AM HS 312 \Documents and Settings\All Users\DRM\v2ks.bla
8/2/2005 8:09:32 AM HS 48 \Documents and Settings\All Users\DRM\v2ks.sec
8/25/2005 4:35:08 PM H 1024 \Documents and Settings\Default User\NTUSER.DAT.LOG
8/26/2005 12:52:34 PM H 6029312 \Documents and Settings\jerry\NTUSER.DAT
8/26/2005 12:50:30 PM H 217088 \Documents and Settings\jerry\ntuser.dat.LOG
8/26/2005 12:52:26 PM HS 278 \Documents and Settings\jerry\ntuser.ini
8/22/2005 2:38:36 PM RHS 734 \Documents and Settings\jerry\ntuser.pol
8/23/2005 4:59:52 PM RH 1478 \Documents and Settings\jerry\Application Data\Lavasoft\Ad-Aware\settings.awc
8/15/2005 11:21:24 AM S 18 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
8/20/2005 8:40:08 AM S 7903 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
8/19/2005 5:04:04 PM S 688 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
8/20/2005 8:40:06 AM S 408 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
8/15/2005 11:21:24 AM S 19359 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
8/20/2005 7:57:52 AM S 17594 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
7/22/2005 11:48:58 AM S 558 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
8/19/2005 5:04:06 PM S 70191 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
8/15/2005 11:21:24 AM S 216 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
8/20/2005 8:40:08 AM S 120 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
8/19/2005 5:04:04 PM S 94 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
8/20/2005 8:40:06 AM S 124 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
8/15/2005 11:21:24 AM S 216 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
8/20/2005 7:57:52 AM S 124 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
7/22/2005 11:48:58 AM S 144 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
8/19/2005 5:04:06 PM S 128 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
8/25/2005 1:02:32 PM HS 2694 \Documents and Settings\jerry\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/26/2005 12:34:38 PM H 822 \Documents and Settings\jerry\Application Data\Microsoft\Office\Recent\index.dat
8/26/2005 12:49:52 PM HS 62 \Documents and Settings\jerry\Local Settings\desktop.ini
8/26/2005 12:52:12 PM H 4302876 \Documents and Settings\jerry\Local Settings\Application Data\IconCache.db
8/20/2005 8:34:46 AM H 262144 \Documents and Settings\jerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
8/26/2005 12:49:52 PM H 8192 \Documents and Settings\jerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
8/19/2005 7:02:16 AM HS 82 \Documents and Settings\jerry\Local Settings\History\desktop.ini
8/22/2005 10:51:10 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\07E3JZOD\desktop.ini
8/22/2005 10:51:08 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\KDYR89QN\desktop.ini
8/22/2005 10:51:08 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\Q3QV876X\desktop.ini
8/22/2005 10:51:08 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\U98GXS0D\desktop.ini
8/23/2005 12:19:42 PM HS 75 \Documents and Settings\jerry\NetHood\share on pillari-nt1\Desktop.ini
8/24/2005 5:13:42 PM HS 65 \RECYCLER\S-1-5-21-842925246-1454471165-1417001333-1117\desktop.ini
8/25/2005 5:08:06 PM H 5620 \RECYCLER\S-1-5-21-842925246-1454471165-1417001333-1117\INFO2
8/26/2005 12:49:42 PM S 2048 \WINDOWS\bootstat.dat
8/18/2005 3:31:54 PM H 0 \WINDOWS\inf\oem22.inf
8/20/2005 7:15:34 AM S 658432 \WINDOWS\system32\wininet.dll
7/8/2005 4:23:18 PM S 12143 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
6/30/2005 9:06:34 AM S 11437 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
7/19/2005 7:18:10 PM S 18913 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
6/30/2005 1:42:18 PM S 11084 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
6/30/2005 2:21:10 PM S 11084 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
6/30/2005 8:46:18 AM S 11084 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
6/28/2005 7:12:56 PM S 11845 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
8/26/2005 12:49:54 PM H 12288 \WINDOWS\system32\config\default.LOG
8/26/2005 12:49:34 PM H 8192 \WINDOWS\system32\config\SAM.LOG
8/26/2005 12:49:52 PM H 20480 \WINDOWS\system32\config\SECURITY.LOG
8/26/2005 12:49:54 PM H 212992 \WINDOWS\system32\config\software.LOG
8/26/2005 12:50:02 PM H 892928 \WINDOWS\system32\config\system.LOG
6/28/2005 5:31:50 PM HS 388 \WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3835bea2-7174-4330-b041-7f850655d882
6/28/2005 5:31:34 PM HS 388 \WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5b431d2e-480b-4538-8127-451f8c1aab66
6/28/2005 5:31:34 PM HS 24 \WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/26/2005 12:52:30 PM H 6 \WINDOWS\Tasks\SA.DAT

Checking for CPL files...

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
UPX! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
FSG! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PEC2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PECompact2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Umonitor 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
qoologic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aspack 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PTech 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
urllogic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-beh 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-behNior.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
sYVLLSAKY 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
_rtneg3 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
SAHAgent 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
buddy.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ZepMon 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aurora.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
;2x(V]@BMD 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Tlji7Mk 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
KavSvc 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
69.59.186.63 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
209.66.67.134 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.97 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.77 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
abetterinternet.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8B!7F\(T 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
testpopup 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
web-nex 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
yourkey 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
winsync 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
rec2_run 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
WinShutDown 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-w-a-r-e.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8/26/2005 12:50:36 PM 436224 C:\Documents and Settings\jerry\Desktop\WinPFind\WinPFind.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
UPX! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
FSG! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PEC2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PECompact2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Umonitor 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
qoologic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aspack 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PTech 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
urllogic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-beh 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-behNior.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
sYVLLSAKY 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
_rtneg3 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
SAHAgent 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
buddy.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ZepMon 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aurora.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
;2x(V]@BMD 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Tlji7Mk 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
KavSvc 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
69.59.186.63 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
209.66.67.134 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.97 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.77 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
abetterinternet.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8B!7F\(T 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
testpopup 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
web-nex 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
yourkey 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
winsync 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
rec2_run 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
WinShutDown 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-w-a-r-e.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8/26/2005 12:50:36 PM 436224 C:\Documents and Settings\jerry\Desktop\WinPFind\WinPFind.exe

Checking files in %USERPROFILE%\Startup folder...
11/25/2003 2:26:04 PM HS 84 C:\Documents and Settings\jerry\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/6/2004 2:32:10 PM 38423 C:\Documents and Settings\jerry\Application Data\Comma Separated Values (Windows).ADR
11/25/2003 9:17:22 AM HS 62 C:\Documents and Settings\jerry\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/26/2005 12:51:47 PM
  • 0

#30
tut

tut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here it is in normal mode:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Version:
Internet Explorer Version:

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/26/2005 12:49:34 PM HS 402653184 \pagefile.sys
8/25/2005 4:35:08 PM H 1024 \Documents and Settings\All Users\NTUSER.DAT.LOG
8/2/2005 8:09:34 AM HS 4608 \Documents and Settings\All Users\DRM\drmv2.sst
8/2/2005 8:09:32 AM HS 312 \Documents and Settings\All Users\DRM\v2ks.bla
8/2/2005 8:09:32 AM HS 48 \Documents and Settings\All Users\DRM\v2ks.sec
8/25/2005 4:35:08 PM H 1024 \Documents and Settings\Default User\NTUSER.DAT.LOG
8/26/2005 12:52:34 PM H 6029312 \Documents and Settings\jerry\NTUSER.DAT
8/26/2005 12:50:30 PM H 217088 \Documents and Settings\jerry\ntuser.dat.LOG
8/26/2005 12:52:26 PM HS 278 \Documents and Settings\jerry\ntuser.ini
8/22/2005 2:38:36 PM RHS 734 \Documents and Settings\jerry\ntuser.pol
8/23/2005 4:59:52 PM RH 1478 \Documents and Settings\jerry\Application Data\Lavasoft\Ad-Aware\settings.awc
8/15/2005 11:21:24 AM S 18 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
8/20/2005 8:40:08 AM S 7903 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
8/19/2005 5:04:04 PM S 688 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
8/20/2005 8:40:06 AM S 408 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
8/15/2005 11:21:24 AM S 19359 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
8/20/2005 7:57:52 AM S 17594 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
7/22/2005 11:48:58 AM S 558 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
8/19/2005 5:04:06 PM S 70191 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
8/15/2005 11:21:24 AM S 216 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
8/20/2005 8:40:08 AM S 120 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
8/19/2005 5:04:04 PM S 94 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
8/20/2005 8:40:06 AM S 124 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
8/15/2005 11:21:24 AM S 216 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
8/20/2005 7:57:52 AM S 124 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
7/22/2005 11:48:58 AM S 144 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
8/19/2005 5:04:06 PM S 128 \Documents and Settings\jerry\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
8/25/2005 1:02:32 PM HS 2694 \Documents and Settings\jerry\Application Data\Microsoft\Internet Explorer\Desktop.htt
8/26/2005 12:34:38 PM H 822 \Documents and Settings\jerry\Application Data\Microsoft\Office\Recent\index.dat
8/26/2005 12:49:52 PM HS 62 \Documents and Settings\jerry\Local Settings\desktop.ini
8/26/2005 12:52:12 PM H 4302876 \Documents and Settings\jerry\Local Settings\Application Data\IconCache.db
8/20/2005 8:34:46 AM H 262144 \Documents and Settings\jerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
8/26/2005 12:49:52 PM H 8192 \Documents and Settings\jerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
8/19/2005 7:02:16 AM HS 82 \Documents and Settings\jerry\Local Settings\History\desktop.ini
8/22/2005 10:51:10 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\07E3JZOD\desktop.ini
8/22/2005 10:51:08 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\KDYR89QN\desktop.ini
8/22/2005 10:51:08 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\Q3QV876X\desktop.ini
8/22/2005 10:51:08 AM HS 67 \Documents and Settings\jerry\Local Settings\Temporary Internet Files\Content.IE5\U98GXS0D\desktop.ini
8/23/2005 12:19:42 PM HS 75 \Documents and Settings\jerry\NetHood\share on pillari-nt1\Desktop.ini
8/24/2005 5:13:42 PM HS 65 \RECYCLER\S-1-5-21-842925246-1454471165-1417001333-1117\desktop.ini
8/25/2005 5:08:06 PM H 5620 \RECYCLER\S-1-5-21-842925246-1454471165-1417001333-1117\INFO2
8/26/2005 12:49:42 PM S 2048 \WINDOWS\bootstat.dat
8/18/2005 3:31:54 PM H 0 \WINDOWS\inf\oem22.inf
8/20/2005 7:15:34 AM S 658432 \WINDOWS\system32\wininet.dll
7/8/2005 4:23:18 PM S 12143 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
6/30/2005 9:06:34 AM S 11437 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896423.cat
7/19/2005 7:18:10 PM S 18913 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
6/30/2005 1:42:18 PM S 11084 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899587.cat
6/30/2005 2:21:10 PM S 11084 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899588.cat
6/30/2005 8:46:18 AM S 11084 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB899591.cat
6/28/2005 7:12:56 PM S 11845 \WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901214.cat
8/26/2005 12:49:54 PM H 12288 \WINDOWS\system32\config\default.LOG
8/26/2005 12:49:34 PM H 8192 \WINDOWS\system32\config\SAM.LOG
8/26/2005 12:49:52 PM H 20480 \WINDOWS\system32\config\SECURITY.LOG
8/26/2005 12:49:54 PM H 212992 \WINDOWS\system32\config\software.LOG
8/26/2005 12:50:02 PM H 892928 \WINDOWS\system32\config\system.LOG
6/28/2005 5:31:50 PM HS 388 \WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\3835bea2-7174-4330-b041-7f850655d882
6/28/2005 5:31:34 PM HS 388 \WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\5b431d2e-480b-4538-8127-451f8c1aab66
6/28/2005 5:31:34 PM HS 24 \WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/26/2005 12:52:30 PM H 6 \WINDOWS\Tasks\SA.DAT

Checking for CPL files...

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
UPX! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
FSG! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PEC2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PECompact2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Umonitor 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
qoologic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aspack 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PTech 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
urllogic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-beh 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-behNior.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
sYVLLSAKY 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
_rtneg3 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
SAHAgent 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
buddy.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ZepMon 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aurora.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
;2x(V]@BMD 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Tlji7Mk 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
KavSvc 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
69.59.186.63 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
209.66.67.134 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.97 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.77 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
abetterinternet.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8B!7F\(T 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
testpopup 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
web-nex 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
yourkey 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
winsync 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
rec2_run 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
WinShutDown 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-w-a-r-e.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8/26/2005 12:50:36 PM 436224 C:\Documents and Settings\jerry\Desktop\WinPFind\WinPFind.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
UPX! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
FSG! 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PEC2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PECompact2 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Umonitor 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
qoologic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aspack 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
PTech 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
urllogic 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-beh 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-behNior.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
sYVLLSAKY 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
_rtneg3 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
SAHAgent 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
buddy.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ZepMon 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
aurora.exe 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
;2x(V]@BMD 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
Tlji7Mk 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
KavSvc 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
69.59.186.63 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
209.66.67.134 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.97 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
66.63.167.77 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
abetterinternet.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8B!7F\(T 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
testpopup 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
web-nex 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
yourkey 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
winsync 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
rec2_run 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
WinShutDown 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
ad-w-a-r-e.com 8/26/2005 12:50:36 PM 354 C:\Documents and Settings\jerry\Desktop\WinPFind\patterns.txt
8/26/2005 12:50:36 PM 436224 C:\Documents and Settings\jerry\Desktop\WinPFind\WinPFind.exe

Checking files in %USERPROFILE%\Startup folder...
11/25/2003 2:26:04 PM HS 84 C:\Documents and Settings\jerry\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/6/2004 2:32:10 PM 38423 C:\Documents and Settings\jerry\Application Data\Comma Separated Values (Windows).ADR
11/25/2003 9:17:22 AM HS 62 C:\Documents and Settings\jerry\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/26/2005 12:51:47 PM
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP