Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SurfSidekick, Aurora, and Trojans [RESOLVED]

Started by runner , Aug 27 2005 02:38 PM

  • This topic is locked This topic is locked

#31
tampabelle
Posted 07 September 2005 - 02:36 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Sure no problem. Post back the logs when done.
  • 0

Advertisements

#32
runner
Posted 07 September 2005 - 08:19 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Sorry for the delayed response! The file paths were not in existence during Killbox run in Safe Mode, so that's good, right? All other steps went without a hitch. Is it now safe to delete a lot of these things I've downloaded? Thanks again so so so much for your help! Here is a fresh HiJack This log, hopefully its clean!

Logfile of HijackThis v1.99.1
Scan saved at 10:15:22 PM, on 9/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123635234166
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Edited by runner, 13 October 2005 - 09:20 AM.

  • 0

#33
runner
Posted 08 September 2005 - 09:52 AM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
I ran a Microsoft Antispyware scan earlier this morning and it is still picking up that creation of evil, Apropos!
  • 0

#34
tampabelle
Posted 08 September 2005 - 02:58 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Can you post a fresh WinpFind log ???
  • 0

#35
runner
Posted 08 September 2005 - 04:49 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK, let me reboot into Safe Mode and I will run it again.

How was the HiJack log?
  • 0

#36
runner
Posted 08 September 2005 - 05:44 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Here is the WinpFind report. I notice that one yqyve or whatever it was is still there. Perhaps I screwed up somewhere?? But I dont see it on the HiJack This log. I remember that name from some time ago and thought I got it taken care of, and there does not seem to be any issues with the PC, but as you know I am no expert. Here it is:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:42 PM 228 C:\win.txt
UPX! 8/18/2005 9:06:10 PM 58 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 10/31/2004 3:01:12 PM 193869 C:\WINDOWS\Dhnedemq.gty
aspack 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PTech 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
PEC2 10/31/2004 3:01:00 PM 184535 C:\WINDOWS\Qlhcwllk.xjx
UPX! 8/7/2005 6:14:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
FSG! 5/11/2005 8:52:30 AM 398742 C:\WINDOWS\SYSTEM32\Euemrgk1.xml
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
FSG! 4/28/2005 8:20:42 AM 398742 C:\WINDOWS\SYSTEM32\Ngbhbvk1.xml
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 4/4/2005 8:20:58 PM 398742 C:\WINDOWS\SYSTEM32\Trhtoik1.xml
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/8/2005 6:51:36 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/8/2005 6:49:46 PM H 24 C:\WINDOWS\p5Jua
8/10/2005 9:21:48 PM H 0 C:\WINDOWS\INF\oem26.inf
9/8/2005 6:51:22 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/8/2005 6:53:48 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/8/2005 6:51:38 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/8/2005 6:53:50 PM H 90112 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/8/2005 6:53:52 PM H 929792 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\00QT1G8M\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FTGTRRA\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FW85R9S\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OBVWNYOT\desktop.ini
9/8/2005 6:50:20 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
5/11/2001 1:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 5/24/2004 7:49:14 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 7/27/2003 11:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/6/2005 7:57:06 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
5/24/2004 7:45:42 PM 1513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\DESKTOP.INI
3/5/2005 6:36:24 PM 1490 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Laura\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YPC 3.0.1 = Yahoo! Parental Controls
iebar =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
AGRSMMSG AGRSMMSG.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SiS Windows KeyHook C:\WINDOWS\System32\keyhook.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
yayqv C:\WINDOWS\System32\yayqv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/8/2005 7:04:56 PM
  • 0

#37
tampabelle
Posted 08 September 2005 - 06:39 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
If you see the latest WinpFind, you will see this item -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
yayqv C:\WINDOWS\System32\yayqv.exe


Please do this fix again. Dont search for the file C:\WINDOWS\System32\yayqv.exe. Just paste the entire path name in Killbox and let it find it and delete it by itself. Chances are that the file is hidden and you wont be able to see it !!!


Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\qgmtnkny]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"yayqv"=-
"yayqv.exe"=-



Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\WINDOWS\SYSTEM32\mc-110-12-0000079.exe
C:\WINDOWS\System32\yayqv.exe

As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Reboot the PC, again in Safe Mode. Run WinpFind to generate a fresh log.

Restart back in Normal Mode and Post the WinpFind log here!
  • 0

#38
runner
Posted 08 September 2005 - 07:39 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
(Insert 300 of your favorite swear words). I went through the steps and it again showed up on the Winp log from Safe mode. The only thing I did not do was copy and paste the file names into Notepad or Word so I could copy and paste it into the Safe Mode run of Winp. For the first run, in Normal Mode, I just copied and pasted it from your post. Let me try doing it again, this time so I can copy and past for both scans. My apologies.
  • 0

#39
runner
Posted 08 September 2005 - 08:12 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
I have now decided that both Apropos and yayqv.exe are just plain mean. I went through the steps again - this time, after pasting the second entry into Killbox i said yes to reboot now, and the following popped up: "PendingFileRenameOperations Registry Data has been Removed by External Process!"

On Killbox in Safe Mode, following appeared after I hit delete button for both file names: "File does not seem to exist."

This is the new WinPFind log - yayqv.exe is still there, and I think it is probably identical. This thing's tough, huh!??! Thanks again for your help and, most important to a technologically novice person like me,your patience!

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:42 PM 228 C:\win.txt
UPX! 8/18/2005 9:06:10 PM 58 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 10/31/2004 3:01:12 PM 193869 C:\WINDOWS\Dhnedemq.gty
aspack 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PTech 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
PEC2 10/31/2004 3:01:00 PM 184535 C:\WINDOWS\Qlhcwllk.xjx
UPX! 8/7/2005 6:14:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
FSG! 5/11/2005 8:52:30 AM 398742 C:\WINDOWS\SYSTEM32\Euemrgk1.xml
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
FSG! 4/28/2005 8:20:42 AM 398742 C:\WINDOWS\SYSTEM32\Ngbhbvk1.xml
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 4/4/2005 8:20:58 PM 398742 C:\WINDOWS\SYSTEM32\Trhtoik1.xml
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/8/2005 9:49:22 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/8/2005 9:42:34 PM H 24 C:\WINDOWS\p5Jua
8/10/2005 9:21:48 PM H 0 C:\WINDOWS\INF\oem26.inf
9/8/2005 9:49:10 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/8/2005 9:50:02 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/8/2005 9:49:26 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/8/2005 9:50:44 PM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/8/2005 9:49:24 PM H 860160 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\00QT1G8M\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FTGTRRA\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FW85R9S\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OBVWNYOT\desktop.ini
9/8/2005 9:43:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
5/11/2001 1:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 5/24/2004 7:49:14 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 7/27/2003 11:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/6/2005 7:57:06 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
5/24/2004 7:45:42 PM 1513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\DESKTOP.INI
3/5/2005 6:36:24 PM 1490 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Laura\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YPC 3.0.1 = Yahoo! Parental Controls
iebar =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
AGRSMMSG AGRSMMSG.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SiS Windows KeyHook C:\WINDOWS\System32\keyhook.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
yayqv C:\WINDOWS\System32\yayqv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/8/2005 10:00:14 PM
  • 0

#40
tampabelle
Posted 09 September 2005 - 03:12 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,


Can we try this -



Shut down Microsoft Anti-Spyware as it may be interfering with the fix.

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Reboot the PC in Safe Mode. Run WinpFind to generate a fresh log.

Restart back in Normal Mode and Post the WinpFind log here!
  • 0

Advertisements

#41
runner
Posted 09 September 2005 - 06:58 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Darn it, it did not work, but I like the thinking! Here is the log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:42 PM 228 C:\win.txt
UPX! 8/18/2005 9:06:10 PM 58 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 10/31/2004 3:01:12 PM 193869 C:\WINDOWS\Dhnedemq.gty
aspack 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PTech 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
PEC2 10/31/2004 3:01:00 PM 184535 C:\WINDOWS\Qlhcwllk.xjx
UPX! 8/7/2005 6:14:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
FSG! 5/11/2005 8:52:30 AM 398742 C:\WINDOWS\SYSTEM32\Euemrgk1.xml
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
FSG! 4/28/2005 8:20:42 AM 398742 C:\WINDOWS\SYSTEM32\Ngbhbvk1.xml
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 4/4/2005 8:20:58 PM 398742 C:\WINDOWS\SYSTEM32\Trhtoik1.xml
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/9/2005 8:34:30 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/9/2005 8:32:54 PM H 24 C:\WINDOWS\p5Jua
8/10/2005 9:21:48 PM H 0 C:\WINDOWS\INF\oem26.inf
9/9/2005 8:34:16 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/9/2005 8:34:50 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/9/2005 8:34:32 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/9/2005 8:35:58 PM H 90112 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/9/2005 8:34:54 PM H 929792 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\00QT1G8M\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FTGTRRA\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FW85R9S\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OBVWNYOT\desktop.ini
9/9/2005 8:33:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
5/11/2001 1:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 5/24/2004 7:49:14 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 7/27/2003 11:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/6/2005 7:57:06 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
5/24/2004 7:45:42 PM 1513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\DESKTOP.INI
3/5/2005 6:36:24 PM 1490 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Laura\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YPC 3.0.1 = Yahoo! Parental Controls
iebar =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
AGRSMMSG AGRSMMSG.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SiS Windows KeyHook C:\WINDOWS\System32\keyhook.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
yayqv C:\WINDOWS\System32\yayqv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/9/2005 8:45:06 PM
  • 0

#42
tampabelle
Posted 10 September 2005 - 05:47 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as fixme.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"yayqv"=-



DoubleClick fixme.reg-> Allow it to merge into the Registry!

Restart the PC in Normal Mode and Post the WinpFind log here!
  • 0

#43
runner
Posted 11 September 2005 - 04:00 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
Sorry for the delay, I have been out of town. Unless I am missing somethig in the report, I think that did the trick with respect to the yayqv.exe thing!! Thanks!! Any further guidance about Apropos??

Here is the WinpFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:48 PM 767 C:\log.txt
PEC2 8/18/2005 9:06:42 PM 228 C:\win.txt
UPX! 8/18/2005 9:06:10 PM 58 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 10/31/2004 3:01:12 PM 193869 C:\WINDOWS\Dhnedemq.gty
aspack 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PTech 10/31/2004 3:01:30 PM 1047967 C:\WINDOWS\Ibifkgvhv.gul
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\LPT$VPN.761
PEC2 10/31/2004 3:01:00 PM 184535 C:\WINDOWS\Qlhcwllk.xjx
UPX! 8/7/2005 6:14:48 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
qoologic 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
SAHAgent 8/7/2005 6:14:48 PM 15552195 C:\WINDOWS\VPTNFILE.761
UPX! 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 8/7/2005 6:14:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
FSG! 5/11/2005 8:52:30 AM 398742 C:\WINDOWS\SYSTEM32\Euemrgk1.xml
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
FSG! 4/28/2005 8:20:42 AM 398742 C:\WINDOWS\SYSTEM32\Ngbhbvk1.xml
Umonitor 8/29/2002 6:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
FSG! 4/4/2005 8:20:58 PM 398742 C:\WINDOWS\SYSTEM32\Trhtoik1.xml
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/11/2005 5:28:52 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
9/11/2005 5:26:54 PM H 24 C:\WINDOWS\p5Jua
8/10/2005 9:21:48 PM H 0 C:\WINDOWS\INF\oem26.inf
9/11/2005 5:28:38 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
9/11/2005 5:30:46 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
9/11/2005 5:28:54 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
9/11/2005 5:30:48 PM H 90112 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
9/11/2005 5:30:50 PM H 933888 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\00QT1G8M\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FTGTRRA\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5FW85R9S\desktop.ini
9/1/2005 11:43:04 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OBVWNYOT\desktop.ini
9/11/2005 5:27:34 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
5/11/2001 1:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 11/19/2003 6:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 5/24/2004 7:49:14 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 7/27/2003 11:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/6/2005 7:57:06 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
5/24/2004 7:45:42 PM 1513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\DESKTOP.INI
3/5/2005 6:36:24 PM 1490 C:\Documents and Settings\Laura\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Laura\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YPC 3.0.1 = Yahoo! Parental Controls
iebar =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Apoint C:\Program Files\Apoint\Apoint.exe
AGRSMMSG AGRSMMSG.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SiS Windows KeyHook C:\WINDOWS\System32\keyhook.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
KernelFaultCheck %systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Sonic RecordNow!
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/11/2005 5:41:44 PM
  • 0

#44
tampabelle
Posted 12 September 2005 - 09:06 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#45
runner
Posted 12 September 2005 - 09:39 PM

runner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
It's probably a tribute to the people that make these spyware programs, viruses, trojans, etc., but it seems like every scanner/program I download picks up new stuff. Before I ran SpySweeper, I ran Ad-Aware, Ewido, and Microsoft Antispyware, and none picked up anything (except of course our buddy Apropos!), and Spysweeper found all sorts of stuff I've never seen before! Should I delete all these permanently or leave in quarantine? Here is the log:

********
11:14 PM: |··· Start of Session, Monday, September 12, 2005 ···|
11:14 PM: Spy Sweeper started
11:14 PM: Sweep initiated using definitions version 532
11:14 PM: Starting Memory Sweep
11:17 PM: Memory Sweep Complete, Elapsed Time: 00:03:06
11:17 PM: Starting Registry Sweep
11:17 PM: Found Adware: apropos
11:17 PM: HKLM\software\aprps\ (2 subtraces) (ID = 103741)
11:17 PM: Found Adware: begin2search
11:17 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
11:17 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
11:17 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
11:17 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
11:17 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
11:17 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
11:17 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
11:17 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
11:17 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
11:17 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
11:17 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
11:17 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
11:17 PM: Found Adware: elitebar
11:17 PM: HKLM\software\microsoft\windows\currentversion\internet settings\user agent\post platform\ || iebar (ID = 125752)
11:17 PM: Found Adware: drsnsrch.com hijack
11:17 PM: HKU\S-1-5-21-541998944-2676829564-3386067161-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
11:17 PM: Found Adware: neededware
11:17 PM: HKCR\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\ (18 subtraces) (ID = 135802)
11:17 PM: HKCR\clsid\{41aa3336-2d3f-4bc6-a06e-f8dcccd1a40a}\ (18 subtraces) (ID = 135803)
11:17 PM: HKCR\clsid\{687d80d2-17e5-40df-a5a9-426dc36b6ad1}\ (3 subtraces) (ID = 135807)
11:17 PM: HKCR\clsid\{84564147-251a-4f06-8fc5-8ae36b3a55ab}\ (3 subtraces) (ID = 135809)
11:17 PM: HKCR\epxactivex.epxactivexctrl.1\ (3 subtraces) (ID = 135812)
11:17 PM: HKLM\software\classes\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\ (18 subtraces) (ID = 135819)
11:17 PM: HKLM\software\classes\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\typelib\ (1 subtraces) (ID = 135820)
11:17 PM: HKLM\software\classes\clsid\{17b8b110-fd82-4a50-9a46-328bb50c6ca4}\version\ (1 subtraces) (ID = 135821)
11:17 PM: HKLM\software\classes\clsid\{41aa3336-2d3f-4bc6-a06e-f8dcccd1a40a}\ (18 subtraces) (ID = 135822)
11:17 PM: HKLM\software\classes\clsid\{687d80d2-17e5-40df-a5a9-426dc36b6ad1}\ (3 subtraces) (ID = 135826)
11:17 PM: HKLM\software\classes\clsid\{84564147-251a-4f06-8fc5-8ae36b3a55ab}\ (3 subtraces) (ID = 135828)
11:17 PM: HKLM\software\classes\epxactivex.epxactivexctrl.1\ (3 subtraces) (ID = 135831)
11:17 PM: HKLM\software\classes\typelib\{7acd8c16-81e3-4b54-95d6-6e8d600654c3}\ (9 subtraces) (ID = 135837)
11:17 PM: HKLM\software\classes\typelib\{375743f3-736c-4377-86b6-06618f1cd726}\ (9 subtraces) (ID = 135838)
11:17 PM: HKCR\typelib\{7acd8c16-81e3-4b54-95d6-6e8d600654c3}\ (9 subtraces) (ID = 135852)
11:17 PM: HKCR\typelib\{375743f3-736c-4377-86b6-06618f1cd726}\ (9 subtraces) (ID = 135853)
11:17 PM: Found Trojan Horse: trojan-downloader-hidd
11:17 PM: HKU\S-1-5-21-541998944-2676829564-3386067161-1006\software\microsoft\windows\currentversion\nur\ (2 subtraces) (ID = 144689)
11:17 PM: Found Trojan Horse: trojan-downloader-wareout
11:17 PM: HKU\S-1-5-21-541998944-2676829564-3386067161-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
11:17 PM: Found Adware: winad
11:17 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
11:17 PM: Found Adware: drsnsrch hijacker
11:17 PM: HKCR\dsrch.band\ (5 subtraces) (ID = 509134)
11:17 PM: HKCR\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 509153)
11:17 PM: HKLM\software\classes\dsrch.band\ (5 subtraces) (ID = 509171)
11:17 PM: HKCR\dsrch.band\clsid\ (1 subtraces) (ID = 509361)
11:17 PM: HKCR\dsrch.band\curver\ (1 subtraces) (ID = 509362)
11:17 PM: Found Trojan Horse: trojan-downloader-ruin
11:17 PM: HKLM\software\microsoft\windows\currentversion\urls\ (7 subtraces) (ID = 605127)
11:17 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (46 subtraces) (ID = 605128)
11:17 PM: HKLM\software\classes\typelib\{8f73ac0f-5769-4282-8762-b396a3bff377}\ (9 subtraces) (ID = 646384)
11:17 PM: Found Adware: safesurf
11:17 PM: HKCR\funtools.picshow\ (5 subtraces) (ID = 730902)
11:17 PM: HKCR\funtools.picshow.1\ (3 subtraces) (ID = 730908)
11:17 PM: HKCR\clsid\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (11 subtraces) (ID = 730912)
11:17 PM: HKCR\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730924)
11:17 PM: HKLM\software\classes\funtools.picshow\ (5 subtraces) (ID = 730957)
11:17 PM: HKLM\software\classes\funtools.picshow.1\ (3 subtraces) (ID = 730963)
11:17 PM: HKLM\software\classes\clsid\{4487598c-2ec7-43a2-870e-6d8d720fdd9f}\ (11 subtraces) (ID = 730967)
11:17 PM: HKLM\software\classes\typelib\{7638761f-0ce1-4e68-9692-d623527a6b7b}\ (9 subtraces) (ID = 730979)
11:17 PM: HKLM\software\picshow\ (14 subtraces) (ID = 730989)
11:17 PM: Registry Sweep Complete, Elapsed Time:00:00:20
11:17 PM: Starting Cookie Sweep
11:17 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:17 PM: Starting File Sweep
11:18 PM: c:\windows\system32\cache32_rtneg2 (2 subtraces) (ID = -2147481388)
11:18 PM: winstat11.dat (ID = 70669)
11:18 PM: Found Adware: dealhelper
11:18 PM: ngbhbvu3.xml (ID = 57652)
11:18 PM: euemrgu3.xml (ID = 57652)
11:18 PM: trhtoik2.xml (ID = 57648)
11:18 PM: backup-20050814-174111-893.osd (ID = 70665)
11:18 PM: trhtoik.xml (ID = 57646)
11:18 PM: trhtoik1.xml (ID = 57647)
11:18 PM: ngbhbvk1.xml (ID = 57647)
11:18 PM: euemrgk.xml (ID = 57646)
11:18 PM: euemrgk1.xml (ID = 57647)
11:18 PM: Found Adware: ieplugin
11:18 PM: kwv2.dat (ID = 63356)
11:19 PM: ngbhbvu2.xml (ID = 57651)
11:19 PM: trhtoiu2.xml (ID = 57651)
11:19 PM: trhtoiu3.xml (ID = 57652)
11:19 PM: exec.exe (ID = 50118)
11:19 PM: ngbhbvu.xml (ID = 57649)
11:19 PM: Found Adware: tvmedia
11:19 PM: tvmknwrd.dll (ID = 81726)
11:19 PM: trhtoiu.xml (ID = 57649)
11:19 PM: euemrgu2.xml (ID = 57651)
11:19 PM: ngbhbvk2.xml (ID = 57648)
11:19 PM: euemrgk2.xml (ID = 57648)
11:19 PM: ngbhbvk.xml (ID = 57646)
11:19 PM: euemrgu.xml (ID = 57649)
11:19 PM: ngbhbvu1.xml (ID = 57650)
11:19 PM: wingenerics.dll (ID = 50187)
11:19 PM: trhtoiu1.xml (ID = 57650)
11:19 PM: euemrgu1.xml (ID = 57650)
11:19 PM: Found Adware: shopathomeselect
11:19 PM: tm97pj39.dat (ID = 75644)
11:19 PM: kdlmjh8r.dat (ID = 75676)
11:19 PM: p1fumi62.dat (ID = 75851)
11:20 PM: bingo_big3123.ico (ID = 51022)
11:20 PM: ngbhbvdk.xml (ID = 57645)
11:20 PM: euemrgdk.xml (ID = 57645)
11:20 PM: trhtoidk.xml (ID = 57645)
11:20 PM: File Sweep Complete, Elapsed Time: 00:02:07
11:20 PM: Full Sweep has completed. Elapsed time 00:05:44
11:20 PM: Traces Found: 471
11:28 PM: Removal process initiated
11:28 PM: Quarantining All Traces: apropos
11:28 PM: Quarantining All Traces: begin2search
11:28 PM: Quarantining All Traces: elitebar
11:28 PM: Quarantining All Traces: drsnsrch.com hijack
11:28 PM: Quarantining All Traces: neededware
11:28 PM: Quarantining All Traces: trojan-downloader-hidd
11:28 PM: Quarantining All Traces: trojan-downloader-wareout
11:28 PM: Quarantining All Traces: winad
11:28 PM: Quarantining All Traces: drsnsrch hijacker
11:28 PM: Quarantining All Traces: trojan-downloader-ruin
11:28 PM: Quarantining All Traces: safesurf
11:28 PM: Quarantining All Traces: dealhelper
11:28 PM: Quarantining All Traces: ieplugin
11:28 PM: Quarantining All Traces: tvmedia
11:28 PM: Quarantining All Traces: shopathomeselect
11:28 PM: Removal process completed. Elapsed time 00:00:51
********
11:13 PM: |··· Start of Session, Monday, September 12, 2005 ···|
11:13 PM: Spy Sweeper started
11:14 PM: |··· End of Session, Monday, September 12, 2005 ···|
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP