Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Troj Cass-A in system32\dist001.exe [RESOLVED]

Started by chicagochicklett , Aug 28 2005 08:30 PM

This topic is locked

#31 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #31$
Michelle

Posted 05 September 2005 - 09:01 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Hello chicagochicklett :tazz:

When you ran SpySweeper, at the end of the scan, did you make sure all of the items it found had a checkmark by them then click the Next button to remove them? If not, please run SpySweeper in Safe Mode again and remove everything it found. Then post a new HiJackThis log.

If you did remove everything SpySweeper found then follow my next instructions.

Open HiJackThis

Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file: C:\Program Files\SurfSideKick 3\Ssk.exe
Double click on that file.
HiJackThis will ask if you want to reboot, now. Click "YES".

After reboot, do this:

Copy everything inside the code box below (starting with REGEDIT4) and paste it into Notepad (make sure there is no blank line above REGEDIT4). Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as remssk.reg on your desktop:

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{02EE5B04-F144-47BB-83FB-A60BD91B74A9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SurfSideKick 3"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SurfSideKick 3"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SurfSideKick3]

[-HKEY_CURRENT_USER\SOFTWARE\SurfSideKick3]

Double-click remssk.reg on your desktop and when asked if you want to merge with the registry click YES.

Reboot your computer again then rescan with HijackThis and post a new HiJackThis log.

#32 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #32$
chicagochicklett

Posted 05 September 2005 - 02:04 PM

Member

Topic Starter
Member
55 posts

Okay, ran SpySweeper and removed anything.

But now I have some bad news. When I restarted the computer, a window popped up saying "Sorry, Internet Explorer has encountered an error and needs to shut down. The info you were working on may be lost." Then I have the option to Debug or Close. When I clicked debug nothing happened, and when I pressed close, the window keeps popping up every five seconds.

I don't use IE, I use Mozilla, so I haven't even opened Int. Explorer in over a week, and I never had this problem before and it's extremely frustrating because it keeps interrupting everything. Help!!!!!!!!

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:03:24 PM, on 9/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [com.codeode.cactusspamfilter] "C:\Program Files\Cactus Spam Filter 2.01\cactusspamfilter.exe" -minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: www.ellegirl.com
O15 - Trusted Zone: www.hotelrwanda.com
O15 - Trusted Zone: http://www.stars21.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107183886500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61948E37-F456-45AA-A81F-DC5436FB3927}: NameServer = 199.224.86.15 199.224.86.16
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

#33 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #33$
Michelle

Posted 05 September 2005 - 03:36 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Try not worry we will get it sorted :tazz:

. I understand the frustration. I need you to delete the C:\Program Files\SurfSideKick 3 folder if still present, then run this scan please:

a-squared Free is a trojan removal tool. To be able to use it, you must set up a free a-squared Account, to get access to the update server.
Please setup an a-squared account at the following link:
http://www.emsisoft....oftware/account

Then download a-squared free from this link:

http://www.emsisoft....ftware/download

Install it and update it.

Then boot your computer to safe mode by tapping the F8 key repeatedly on reboot until you get a boot menu. From this boot menu choose safe mode.

Once in safe mode fire up a-squared and let it run. Do not fix anything yet lets just see what it finds. When it is done scanning click the save log as html button.

Reboot to normal windows and upload that html file with your next post. I will go through and analyze the log to tell you if any of the files should not be removed.

#34 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #34$
chicagochicklett

Posted 05 September 2005 - 09:44 PM

Member

Topic Starter
Member
55 posts

Here is the a-squared log. I've noticed some files that were created a week ago, around the time when the computer started acting up, and I don't recognize them. Hopefully you'll figure out what they are. I was curious about VERITAS Software, Insizard, and ProSiteFinder.

It looks like the SurfSideKick folder is finally gone, though! Now if I could just get everything else cleared out....

Thanks for your help so far, Michelle!

Attached Files

report_952005_112646_PM.html 3.4KB 12 downloads

#35 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #35$
Michelle

Posted 05 September 2005 - 10:38 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Set your system to SHOW HIDDEN FILES

Then using Windows Explorer, see if you can locate this file:

C:\Windows\system32\repairs.dll

If found, delete it! Please let me know :tazz:

Please download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, if it does go ahead and reboot.

Then, Please run asquared again and remove just these 2 items (not the others, they are legit!):

C:\Program Files\ProSiteFinder\b0z1s9id.DLL Adware.ClaerSearch.ab
C:\Program Files\ProSiteFinder\kx0zhjcn.DLL Adware.ClearSearch.ae

About Veritas (legitimate and nothing to worry about!):

Process File: sgtray or sgtray.exe
Process Name: VERITAS StorageGuard Tray Application

Description:
sgtray.exe is a utility from VERITAS Software Corporation which installs itself on the system tray bar, and serves to remind you to backup your files.

Using the Registry Search Tool that Trevuren had you download, search for this:

ProSiteFinder

Post that log into your next reply as well as this log:

*Open HijackThis.
*Click Open Misc Tools Section
*Click Open Uninstall Manager
*Click Save List - Save it anywhere.
*A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

#36 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #36$
chicagochicklett

Posted 06 September 2005 - 07:05 AM

Member

Topic Starter
Member
55 posts

Okay, I deleted:

C:\Program Files\ProSiteFinder\b0z1s9id.DLL Adware.ClaerSearch.ab
C:\Program Files\ProSiteFinder\kx0zhjcn.DLL Adware.ClearSearch.ae

from a-squared. Then searched for ProSiteFinder in the Registry Search Tool and it came up with nothing. Seems like that is good!

Here is the HJT Unistall Manager log:

Ad-Aware SE Personal
Adobe Reader 7.0
AOL Instant Messenger
a-squared Personal 1.6
CleanUp!
DING!
ewido security suite
Google Talk (remove only)
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
IBM RecordNow Update Manager
IBM RecordNow!
Intel® Extreme Graphics Driver
InterActual Player
InterVideo WinDVD
iPod for Windows 2005-03-23
iTunes
Jasc Paint Shop Pro 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
Mouse Suite
Mozilla Firefox (1.0.4)
Power Tab Editor 1.7
ProSiteFinder
PShow
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Select CashBack
Sophos Anti-Virus version 3.97.0
Sophos Remote Update
Spy Sweeper
Spybot - Search & Destroy 1.3
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinMX
Yahoo! Photos Easy Upload Tool 1v6

#37 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #37$
chicagochicklett

Posted 06 September 2005 - 07:09 AM

Member

Topic Starter
Member
55 posts

Forgot to mention that I did not see the file repairs.dll in the Windows\system32 folder. Hope that is good news!

#38 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #38$
Michelle

Posted 06 September 2005 - 07:55 AM

Malware Removal Goddess

Retired Staff
8,928 posts

*Open HijackThis.
*Click Open Misc Tools Section
*Click Open Uninstall Manager
*Scroll down the list for ProSiteFinder
*Click to highlight it.
*On the right-side click Delete this entry
*Click YES at the prompt

Then, delete this folder:

C:\Program Files\ProSiteFinder

You'll have to use Internet Explorer for this scan, you may not be able to because of the IE errors, but let's try it anyway. Please let me know!

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#39 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #39$
chicagochicklett

Posted 06 September 2005 - 10:28 AM

Member

Topic Starter
Member
55 posts

Here's the log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, September 06, 2005 12:27:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/09/2005
Kaspersky Anti-Virus database records: 148031
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 112831
Number of viruses found: 44
Number of infected objects: 111
Number of suspicious objects: 4
Duration of the scan process: 4799 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Family\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe/WISE0017.BIN Infected: not-a-virus:AdWare.NewDotNet
C:\Documents and Settings\Family\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe/WISE0018.BIN Infected: not-a-virus:AdWare.EZula.a
C:\Documents and Settings\Family\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Gator.3103
C:\Documents and Settings\Family\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe Infected: not-a-virus:AdWare.Gator.3103
C:\RECYCLER\S-1-5-21-1614895754-583907252-725345543-1005\Dc1\luds4vo7.DLL Infected: not-a-virus:AdWare.ClearSearch.ah
C:\RECYCLER\S-1-5-21-1614895754-583907252-725345543-1005\Dc1\q0k0xh1w.DLL Infected: not-a-virus:AdWare.ClearSearch.ah
C:\Spyware\Msg11x and 12x Removal Tools\[CLEANER] L2M.VX2.~msg12.dll~[bleep]~.ZestyFind removal [W.XP ONLY]\Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP116\A0011880.exe Infected: not-a-virus:AdWare.Sahat.w
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP116\A0011881.exe/clientax.dll Infected: not-a-virus:AdWare.180Solutions.g
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP116\A0011881.exe Infected: not-a-virus:AdWare.180Solutions.g
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP116\A0011883.exe Infected: Trojan-Downloader.Win32.IstBar.jm
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0017219.dll Infected: not-a-virus:AdWare.ClearSearch.z
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0017220.exe Infected: not-a-virus:AdWare.ClearSearch.ac
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0017293.exe Infected: Trojan-Downloader.Win32.QDown.z
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0017298.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0017302.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0018294.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0018296.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0018303.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0018305.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0019304.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020309.exe Infected: not-a-virus:AdWare.WinAD.bj
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020326.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020329.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020344.dll Infected: not-a-virus:AdWare.ClearSearch.z
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020345.exe Infected: not-a-virus:AdWare.ClearSearch.ac
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020346.dll Infected: not-a-virus:AdWare.Adstart.c
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020347.dll Infected: not-a-virus:AdWare.ClearSearch.u
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020348.dll Infected: not-a-virus:AdWare.Adstart.c
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020350.exe Infected: not-a-virus:AdWare.NewDotNet
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020351.exe Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020352.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020353.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020354.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020355.exe Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP169\A0020424.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP169\A0020510.dll Infected: not-a-virus:AdWare.Suggestor.f
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP170\A0020528.dll Infected: not-a-virus:AdWare.SafeSurfing.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP170\A0020644.exe Infected: not-a-virus:AdWare.SafeSurfing.s
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020759.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020759.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020759.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020759.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020759.exe/InpB Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020759.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP171\A0020773.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022048.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022049.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022050.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022055.dll Infected: not-a-virus:AdWare.SafeSurfing.t
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022057.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022057.exe Infected: Backdoor.Win32.HacDef.bo
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022059.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022059.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022059.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022060.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0022060.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0024214.DLL Infected: not-a-virus:AdWare.ClaerSearch.ab
C:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP174\A0024215.DLL Infected: not-a-virus:AdWare.ClearSearch.ae
C:\WINDOWS\system32\2c7tn6l8.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\WINDOWS\system32\sav2.exe Infected: Trojan-Downloader.Win32.Apropo.aj
F:\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe/WISE0017.BIN Infected: not-a-virus:AdWare.NewDotNet
F:\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe/WISE0018.BIN Infected: not-a-virus:AdWare.EZula.a
F:\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Gator.3103
F:\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe Infected: not-a-virus:AdWare.Gator.3103
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\00462BAA Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\00E634FA Infected: not-a-virus:AdWare.ToolBar.ImiBar.b
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\02D04EDF Infected: Trojan-Downloader.Win32.Agent.ab
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0ACC3DDC Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0AD311D4 Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B8D6B08 Infected: Trojan-Downloader.Win32.Agent.ab
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\15FA67CF Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19EC7639 Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1AD361CC/[From [email protected]][Date Wed, 2 Jun 2004 11:37:22 -0700]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1AD361CC/[From [email protected]][Date Wed, 2 Jun 2004 11:37:22 -0700]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1AD361CC/[From [email protected]][Date Wed, 2 Jun 2004 11:37:22 -0700]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1AD361CC/[From [email protected]][Date Wed, 2 Jun 2004 11:37:22 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1AD361CC Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1B034A0D Infected: not-a-virus:AdWare.VirtualBouncer.d
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1DB02312 Infected: not-a-virus:AdWare.ToolBar.ImiBar.b
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\223D7EAE Infected: not-a-virus:AdWare.BiSpy.o
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B620EE5/[From [email protected]][Date Sun, 23 May 2004 12:52:15 -0700]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B620EE5/[From [email protected]][Date Sun, 23 May 2004 12:52:15 -0700]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B620EE5/[From [email protected]][Date Sun, 23 May 2004 12:52:15 -0700]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B620EE5/[From [email protected]][Date Sun, 23 May 2004 12:52:15 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B620EE5 Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\32AC3A5A Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\40BF1FFA Infected: Trojan.Win32.SecondThought.c
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4271701C Infected: Email-Worm.Win32.NetSky.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4A870E05 Infected: not-a-virus:AdWare.BiSpy.o
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B394D7F Infected: not-a-virus:AdWare.ToolBar.ImiBar.b
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\519F69EE Infected: not-a-virus:AdWare.BiSpy.o
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\538750E1 Infected: Trojan-Downloader.Win32.Agent.ab
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5CDB53E1/ Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5CDB53E1 Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\649133A2 Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6A6F63B3 Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6EB22B02 Infected: Trojan-Downloader.Win32.Agent.ab
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6EFA46B3 Infected: Email-Worm.Win32.Mydoom.q
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79A57E32/ Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\79A57E32 Infected: Trojan-Downloader.Win32.Agent.ae
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7EE843AE/WISE0001.BIN Infected: not-a-virus:AdWare.VirtualBouncer.j
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7EE843AE Infected: not-a-virus:AdWare.VirtualBouncer.j
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7F411E04 Infected: not-a-virus:AdWare.BiSpy.o
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7F5519EF Infected: not-a-virus:AdWare.BiSpy.o
F:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7F5843EB Infected: not-a-virus:AdWare.BiSpy.o
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020356.dll Infected: not-a-virus:AdWare.MetaDirect.SideStep.a
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020357.exe Infected: not-a-virus:AdWare.NewDotNet
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020358.exe Infected: not-a-virus:AdWare.NewDotNet
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020359.exe Infected: not-a-virus:AdWare.NewDotNet
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020360.exe Infected: not-a-virus:AdWare.NewDotNet
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020362.dll Infected: not-a-virus:AdWare.VirtualBouncer.d
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020363.dll Infected: not-a-virus:AdWare.180Solutions
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP168\A0020364.dll Infected: not-a-virus:AdWare.VirtualBouncer.g
F:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP306\A0030851.dll Infected: not-a-virus:AdWare.BiSpy.o

Scan was interrupted by user!

#40 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #40$
Michelle

Posted 06 September 2005 - 11:11 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Please empty your Recycle bin.

What all is on your F drive?

Norton Internet Security is on the F drive, everything in quarantine needs to be deleted out of it.

Please delete these 2 files:

C:\WINDOWS\system32\2c7tn6l8.ini
C:\WINDOWS\system32\sav2.exe

If you have problems deleting either of these, please let me know!

I don't know what this is but it's on the F drive and full of adware and I would strongly advise deleting it:

F:\My Documents\Mur's Junk\kurt_cobain_tribute-47748.exe

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

R3 - Default URLSearchHook is missing

****OPTIONAL ITEMS**** fixing these in HiJackThis will free up some system resources:

O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

If you purposely put these in your Trusted zone you can leave them otherwise please fix them:

O15 - Trusted Zone: www.ellegirl.com
O15 - Trusted Zone: www.hotelrwanda.com
O15 - Trusted Zone: http://www.stars21.com

Close HiJackThis.

Download WinPFind

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

Reboot into Safe Mode

Once in Safe Mode, doubleclick WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt
Reboot back to Normal Mode!
Place the results from WinPFind.txt in the next post!

Please download Rootkit Revealer (link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe (must be run in normal mode)
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.

Post the contents of WinPFind.txt as well as rootkitrevealer.txt into your next reply.

#41 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #41$
chicagochicklett

Posted 06 September 2005 - 06:44 PM

Member

Topic Starter
Member
55 posts

I wasn't sure about our F drive. While I was at college this year, our computer crashed and we started fresh on the C drive, but I believe we recovered all of the information from the original C drive and it was all put on the F drive. Basically, the F drive isn't really used at all now. But I guess there is some questionable stuff lingering in there.

I deleted those two files, no problem.

WinPFind log:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 6/29/2005 7:46:00 PM 4827968 C:\Firefox Setup 1.0.4.exe

Checking %ProgramFilesDir% folder...
UPX! 8/24/2005 3:12:42 PM 921280 C:\Program Files\googletalk-setup.exe
aspack 7/23/2005 2:35:32 PM 894976 C:\Program Files\iview397.exe

Checking %WinDir% folder...
PECompact2 8/28/2005 7:42:08 PM 15677649 C:\WINDOWS\LPT$VPN.803
qoologic 8/28/2005 7:42:08 PM 15677649 C:\WINDOWS\LPT$VPN.803
SAHAgent 8/28/2005 7:42:08 PM 15677649 C:\WINDOWS\LPT$VPN.803
UPX! 8/28/2005 7:42:08 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 8/28/2005 7:42:08 PM 15677649 C:\WINDOWS\VPTNFILE.803
qoologic 8/28/2005 7:42:08 PM 15677649 C:\WINDOWS\VPTNFILE.803
SAHAgent 8/28/2005 7:42:08 PM 15677649 C:\WINDOWS\VPTNFILE.803
UPX! 8/28/2005 7:42:08 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 8/28/2005 7:42:08 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 8/27/2005 11:45:34 PM 35 C:\WINDOWS\SYSTEM32\0c3oniam.ini
SAHAgent 8/28/2005 2:00:04 PM 3587 C:\WINDOWS\SYSTEM32\cjtfpe4k.ini
PEC2 8/29/2002 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/20/2004 4:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PECompact2 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 12:56:38 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 12:56:46 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/6/2005 6:38:26 PM S 2048 C:\WINDOWS\bootstat.dat
9/6/2005 6:36:58 PM H 24 C:\WINDOWS\prgsb
9/6/2005 6:37:20 PM S 64 C:\WINDOWS\CSC\00000001
9/5/2005 4:40:58 PM S 64 C:\WINDOWS\CSC\00000002
9/5/2005 4:27:50 PM S 64 C:\WINDOWS\CSC\csc1.tmp
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
9/6/2005 6:38:18 PM H 8192 C:\WINDOWS\system32\config\default.LOG
9/6/2005 6:38:40 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/6/2005 6:38:28 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
9/6/2005 6:38:42 PM H 73728 C:\WINDOWS\system32\config\software.LOG
9/6/2005 6:38:34 PM H 860160 C:\WINDOWS\system32\config\system.LOG
8/13/2005 11:28:04 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/31/2005 2:35:54 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\b6c93e7d-1a60-42cd-9fc8-2ceb1d4ffdae
7/31/2005 2:35:54 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/6/2005 6:37:24 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 4:20:00 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 4:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
WildTangent, Inc. 2/28/2002 2:56:34 PM 45056 C:\WINDOWS\SYSTEM32\wtcpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive3/31/2005 8:50:32 AM 3006464 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/29/2002 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/31/2005 11:51:52 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/31/2005 10:55:12 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/19/2005 10:59:58 AM 1677 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DING!.lnk
9/6/2005 8:57:06 AM 1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNK
1/31/2005 11:49:32 AM 822 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remote Update Monitor.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/31/2005 5:43:16 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
1/31/2005 10:55:12 AM HS 84 C:\Documents and Settings\Family\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
1/31/2005 5:43:16 AM HS 62 C:\Documents and Settings\Family\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\a2\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Mouse Suite 98 Daemon ICO.EXE
LTMSG LTMSG.exe 7
com.codeode.cactusspamfilter "C:\Program Files\Cactus Spam Filter 2.01\cactusspamfilter.exe" -minimized
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
UserFaultCheck %systemroot%\system32\dumprep 0 -u
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
googletalk "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
a-squared "C:\Program Files\a2\a2guard.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
oesrrfuthr.exe C:\WINDOWS\system\oesrrfuthr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

Rootkit Revealer Log:

HKLM\SOFTWARE\CrPT4Aw2YM7D 8/29/2005 9:19 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIIDE 1/31/2005 10:58 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PLUSTRY 8/28/2005 5:31 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\PerfProc 1/31/2005 5:43 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\Plustry 9/6/2005 7:05 PM 0 bytes Hidden from Windows API.
C:\Program Files\Sopaim 9/5/2005 12:01 AM 0 bytes Hidden from Windows API.
C:\Program Files\Sopaim\ace.dll 8/28/2005 5:31 PM 568.00 KB Hidden from Windows API.
C:\Program Files\Sopaim\AI_01-09-2005.log 9/1/2005 6:31 AM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\AI_02-09-2005.log 9/2/2005 6:45 AM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\AI_03-09-2005.log 9/3/2005 9:30 AM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\AI_04-09-2005.log 9/4/2005 7:46 AM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\AI_05-09-2005.log 9/5/2005 12:01 AM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\AI_30-08-2005.log 8/30/2005 12:00 AM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\AI_31-08-2005.log 8/31/2005 6:42 PM 3 bytes Hidden from Windows API.
C:\Program Files\Sopaim\atl.dll 8/28/2005 5:31 PM 73.06 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache 9/4/2005 8:38 PM 0 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00000029_4316637b_000c65d4 8/31/2005 10:12 PM 2.72 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\000001eb_431b8aca_00081b32 9/4/2005 8:01 PM 122 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00000f3e_431b90e0_000c28cb 9/4/2005 8:27 PM 1.28 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\000012db_431b8d3b_0004c4b4 9/4/2005 8:11 PM 699 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\000018be_43166c2b_000487ab 8/31/2005 10:49 PM 577 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\000018be_431b8460_000c65d4 9/4/2005 7:33 PM 1.18 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00002ea6_431b8ad2_0008d24d 9/4/2005 8:01 PM 558 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\0000305e_431b924a_00066ff3 9/4/2005 8:33 PM 457 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00003d6c_4314d25c_000a7d8c 8/30/2005 5:40 PM 0 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00003d6c_431b8608_000ec82e 9/4/2005 7:40 PM 581 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\0000440d_431b9372_000d59f8 9/4/2005 8:38 PM 22 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00004823_4313b3fe_0004c4b4 8/29/2005 9:18 PM 1.45 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00004823_431634f7_000e4e1c 8/31/2005 6:53 PM 876 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00004823_43166384_000b34a7 8/31/2005 10:12 PM 18.83 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00004823_4317b7d8_000e59c9 9/1/2005 10:24 PM 472 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00004ae1_4313c811_0001ab3f 9/4/2005 7:46 PM 648 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00004ae1_431b8548_000bebc2 9/4/2005 7:37 PM 1.45 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00005af1_4313d52d_00053ec6 8/29/2005 11:40 PM 434 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00006784_4313c1e0_00031975 8/29/2005 10:18 PM 582 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00006784_43166e87_000cdfe6 8/31/2005 10:59 PM 474 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\00006952_431b8776_00098968 9/4/2005 7:47 PM 472 bytes Hidden from Windows API.
C:\Program Files\Sopaim\Cache\dns 9/4/2005 10:33 PM 57.24 KB Hidden from Windows API.
C:\Program Files\Sopaim\Cache\index 9/4/2005 8:38 PM 3.02 KB Hidden from Windows API.
C:\Program Files\Sopaim\data.bin 8/28/2005 5:31 PM 114.14 KB Hidden from Windows API.
C:\Program Files\Sopaim\ntkclien.exe 8/28/2005 5:31 PM 156.00 KB Hidden from Windows API.
C:\Program Files\Sopaim\offdecod.exe 8/28/2005 5:32 PM 908.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\clat4usb9.sys 8/28/2005 5:31 PM 12.00 KB Hidden from Windows API.
C:\WINDOWS\system32\norio804.exe 9/6/2005 9:08 AM 424.00 KB Hidden from Windows API.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101 6/8/2005 9:32 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101\change.log.1 6/7/2005 9:29 PM 1023.87 KB Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101\change.log.2 6/7/2005 9:33 PM 1023.99 KB Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101\change.log.3 6/7/2005 9:35 PM 539.85 KB Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101\change.log.4 6/8/2005 9:29 PM 1023.87 KB Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101\change.log.5 6/8/2005 9:31 PM 395.68 KB Visible in Windows API, but not in MFT or directory index.
F:\System Volume Information\_restore{005FFAA9-A852-47E4-815B-46ECD2586D2D}\RP101\RestorePointSize 8/13/2005 12:44 PM 8 bytes Visible in Windows API, but not in MFT or directory index.
G: 0 bytes Error mounting volume

#42 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #42$
Michelle

Posted 06 September 2005 - 08:24 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Go to Start > Run.
Copy the following line and paste it into the box:

regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CrPT4Aw2YM7D"

Click OK.

Locate the following file: C:\look.txt and copy the contents and paste them here.

#43 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #43$
chicagochicklett

Posted 06 September 2005 - 08:42 PM

Member

Topic Starter
Member
55 posts

I copied this entire line:

regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CrPT4Aw2YM7D"

and pasted it into Start>Run but nothing came up. So I couldn't find C:\look.txt

?????

#44 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #44$
Michelle

Posted 06 September 2005 - 08:45 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Nothing will pop-up. Just use Windows Explorer, go to your C: drive and locate look.txt on it. Open it, copy the contents and paste them here :tazz:

#45 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #45$
chicagochicklett

Posted 06 September 2005 - 09:10 PM

Member

Topic Starter
Member
55 posts

Ran regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CrPT4Aw2YM7D" but couldn't locate C:\look.txt.

I did a file search for it and had no luck and couldn't find it in Windows Explorer. Now what?

Back to Virus, Spyware, Malware Removal · Next Unread Topic →

As Featured On:

Geeks to Go Forum 343,322 topics
Quick Links FAQ Malware Cleaning Guide How it Works
Downloads 2+ million

View New Content

Troj Cass-A in system32\dist001.exe [RESOLVED]

#31 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #31$
Michelle

Posted 05 September 2005 - 09:01 AM

Advertisements

#32 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #32$
chicagochicklett

Posted 05 September 2005 - 02:04 PM

#33 $Troj Cass-A in system32\dist001.exe [RESOLVED]: post #33$
Michelle

Posted 05 September 2005 - 03:36 PM