Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

wininet.dll infected by w32/alamod.e.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
dave901

dave901

    New Member

  • Member
  • Pip
  • 6 posts
I'm usually the guy helping my friends get rid of this crap. I will be humbled and grateful for any help! Have ran as many anti-adware malware programs as I could. My McAfee detects but will not clean delete or quarantine. Hijack This log follows:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:59 AM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\mssearchnet.exe
C:\windows\system32\nvctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\windows\Mixer.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\windows\system32\hpDF4.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.1\Burn4Free_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WMnRYN] C:\WINDOWS\iomdwk.exe
O4 - HKLM\..\Run: [winsync] C:\windows\system32\lpdxk4.exe reg_run
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [NeroCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mvmz] C:\WINDOWS\mvmz.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [KavSvc] C:\windows\system32\raulkn.exe reg_run
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [intell32.exe] C:\windows\system32\intell32.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [gafrtej] c:\windows\dovpaje.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {047CE197-F3B0-40EE-B4BD-D8B388AB5EFD} - file://C:\Recycled\171709.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/...e/atomaders.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248...hm::/update.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi dave901 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
dave901

dave901

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I believe I have a handle on the actual virus after running smitrem in safe mode (and a couple of other things), but I'm still getting pop-ups that I've never had before so I'll post my Hijack log for comment. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 11:27:22 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\Mixer.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [winsync] C:\windows\system32\lpdxk4.exe reg_run
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#5
dave901

dave901

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
results from winpfind in safe mode and trackqoo in normal mode



winpfind:




WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 11/9/2004 11:40:52 AM 322932474 C:\image1.cdr

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
web-nex 8/18/2005 10:50:04 PM 4022 C:\windows\jnvra.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\windows\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\windows\tsc.exe
PECompact2 8/18/2005 2:24:00 PM 15636721 C:\windows\LPT$VPN.791
qoologic 8/18/2005 2:24:00 PM 15636721 C:\windows\LPT$VPN.791
SAHAgent 8/18/2005 2:24:00 PM 15636721 C:\windows\LPT$VPN.791
UPX! 2/18/2005 6:40:14 PM 1044560 C:\windows\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\windows\vsapi32.dll
PECompact2 8/18/2005 2:24:00 PM 15636721 C:\windows\VPTNFILE.791
qoologic 8/18/2005 2:24:00 PM 15636721 C:\windows\VPTNFILE.791
SAHAgent 8/18/2005 2:24:00 PM 15636721 C:\windows\VPTNFILE.791
FSG! 9/26/2005 10:52:40 AM 1189451 C:\windows\WindowsUpdate.log

Checking %System% folder...
aspack 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
KavSvc 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
69.59.186.63 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
209.66.67.134 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
66.63.167.97 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
66.63.167.77 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
web-nex 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
yourkey 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
rec2_run 8/17/2005 12:53:44 PM 29184 C:\windows\SYSTEM32\supdate.dll
aspack 8/3/2004 11:56:36 PM 708096 C:\windows\SYSTEM32\ntdll.dll
aspack 8/17/2005 12:53:44 PM 28160 C:\windows\SYSTEM32\redit.cpl
PEC2 3/31/2003 12:00:00 PM 41397 C:\windows\SYSTEM32\dfrg.msc
Umonitor 8/3/2004 11:56:44 PM 657920 C:\windows\SYSTEM32\rasdlg.dll
winsync 3/31/2003 12:00:00 PM 1309184 C:\windows\SYSTEM32\wbdbase.deu
aspack 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
KavSvc 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
69.59.186.63 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
209.66.67.134 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
testpopup 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
web-nex 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
yourkey 8/17/2005 12:52:30 PM 27648 C:\windows\SYSTEM32\rkcyeoi.dll
PEC2 6/9/2005 1:32:28 PM 692736 C:\windows\SYSTEM32\DivX.dll
PECompact2 6/9/2005 1:32:28 PM 692736 C:\windows\SYSTEM32\DivX.dll
UPX! 8/2/2005 3:03:52 PM 224768 C:\windows\SYSTEM32\b4fm.dll
PECompact2 9/8/2005 8:08:28 PM 1997664 C:\windows\SYSTEM32\MRT.exe
aspack 9/8/2005 8:08:28 PM 1997664 C:\windows\SYSTEM32\MRT.exe
aspack 8/17/2005 12:52:30 PM 9728 C:\windows\SYSTEM32\ukvgr.dll
KavSvc 8/17/2005 12:52:30 PM 9728 C:\windows\SYSTEM32\ukvgr.dll
69.59.186.63 8/17/2005 12:52:30 PM 9728 C:\windows\SYSTEM32\ukvgr.dll
209.66.67.134 8/17/2005 12:52:30 PM 9728 C:\windows\SYSTEM32\ukvgr.dll
web-nex 8/17/2005 12:52:30 PM 9728 C:\windows\SYSTEM32\ukvgr.dll
yourkey 8/17/2005 12:52:30 PM 9728 C:\windows\SYSTEM32\ukvgr.dll
aspack 5/16/2002 5:12:30 PM 117248 C:\windows\SYSTEM32\SKCL.dll
69.59.186.63 9/23/2005 1:34:48 AM 46080 C:\windows\SYSTEM32\ssdfdks.dll
209.66.67.134 9/23/2005 1:34:48 AM 46080 C:\windows\SYSTEM32\ssdfdks.dll
web-nex 9/23/2005 1:34:48 AM 46080 C:\windows\SYSTEM32\ssdfdks.dll
winsync 9/23/2005 1:34:48 AM 46080 C:\windows\SYSTEM32\ssdfdks.dll
69.59.186.63 9/23/2005 1:34:48 AM 10240 C:\windows\SYSTEM32\jakrd.dll
209.66.67.134 9/23/2005 1:34:48 AM 10240 C:\windows\SYSTEM32\jakrd.dll
web-nex 9/23/2005 1:34:48 AM 10240 C:\windows\SYSTEM32\jakrd.dll
winsync 9/23/2005 1:34:48 AM 10240 C:\windows\SYSTEM32\jakrd.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 9:41:38 PM 1309184 C:\windows\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\windows\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/19/2005 1:38:10 AM H 54156 C:\windows\QTFont.qfn
9/26/2005 10:54:52 AM S 2048 C:\windows\bootstat.dat
9/26/2005 10:52:42 AM H 774144 C:\windows\SYSTEM32\config\system.LOG
9/26/2005 10:52:42 AM H 73728 C:\windows\SYSTEM32\config\software.LOG
9/26/2005 10:52:42 AM H 8192 C:\windows\SYSTEM32\config\default.LOG
9/26/2005 10:55:06 AM H 1024 C:\windows\SYSTEM32\config\SAM.LOG
9/26/2005 10:54:54 AM H 12288 C:\windows\SYSTEM32\config\SECURITY.LOG
9/20/2005 8:38:24 AM H 1024 C:\windows\SYSTEM32\config\systemprofile\ntuser.dat.LOG
8/1/2005 12:34:28 AM HS 24 C:\windows\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
8/1/2005 12:34:28 AM HS 388 C:\windows\SYSTEM32\Microsoft\Protect\S-1-5-18\User\7cf8b8c7-b316-447d-9c89-c3a173deccde
9/26/2005 10:52:38 AM H 6 C:\windows\Tasks\SA.DAT

Checking for CPL files...
Sun Microsystems 2/20/2003 4:42:34 PM 229487 C:\windows\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\windows\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\windows\SYSTEM32\inetcpl.cpl
8/17/2005 12:53:44 PM 28160 C:\windows\SYSTEM32\redit.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\windows\SYSTEM32\intl.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\windows\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\windows\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\windows\SYSTEM32\desk.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\windows\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\windows\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\windows\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\windows\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\windows\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\windows\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\windows\SYSTEM32\wuaucpl.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\windows\SYSTEM32\QuickTime.cpl
SiSoftware 6/29/2005 6:00:10 PM 53248 C:\windows\SYSTEM32\SanCpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\windows\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\windows\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\windows\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\windows\SYSTEM32\joy.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\windows\SYSTEM32\wscui.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\windows\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\windows\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\windows\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\windows\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\windows\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\windows\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\windows\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\windows\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\windows\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\windows\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 187904 C:\windows\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\windows\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 28160 C:\windows\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\windows\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 3/31/2003 12:00:00 PM 35840 C:\windows\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\windows\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\windows\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\windows\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\windows\SYSTEM32\dllcache\irprops.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/14/2004 1:12:24 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
9/23/2005 1:34:48 AM 91648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nacu.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/14/2004 8:28:40 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/14/2004 1:12:24 PM HS 84 C:\Documents and Settings\Dave\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/14/2004 8:28:40 AM HS 62 C:\Documents and Settings\Dave\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyksgtxq
{4eb36105-95c2-41a7-8101-1b3ef0c9f665} = C:\windows\system32\jakrd.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zipn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{70DE7956-479D-4EB7-8641-2B45774C350E} = Burn4Free Toolbar : C:\Program Files\Burn4Free Toolbar\v2.0.0.1\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
C-Media Mixer Mixer.exe /startup
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
winsync C:\windows\system32\lpdxk4.exe reg_run
UFD Utility C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
UFD Monitor C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Microsoft Management Console lssas.exe
Microsoft Internet Acceleration Utility iau.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Weather C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/26/2005 11:12:45 AM






trackqoo:



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\" /disabled"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"C-Media Mixer"="Mixer.exe /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"winsync"="C:\\windows\\system32\\lpdxk4.exe reg_run"
"UFD Utility"="C:\\Program Files\\USB FlashDisk\\UFD Utility 2003\\UFDTool.exe"
"UFD Monitor"="C:\\Program Files\\USB FlashDisk\\UFD Utility 2003\\ufdlmon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Microsoft Management Console"="lssas.exe"
"Microsoft Internet Acceleration Utility"="iau.exe"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- 7-Zip
{23170F69-40C1-278A-1000-000100020000}
C:\Program Files\7-Zip\7-zipn.dll

Subkey --- fyksgtxq
{4eb36105-95c2-41a7-8101-1b3ef0c9f665}
C:\windows\system32\jakrd.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\windows\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\windows\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\windows\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\windows\system32\SHELL32.dll

Subkey --- {CFC7205E-2792-4378-9591-3879CC6C9022}

c:\progra~1\mcafee.com\vso\mcvsshl.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\windows\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\windows\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\windows\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\windows\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

desktop.ini
==============================
C:\Documents and Settings\Dave\Start Menu\Programs\Startup

desktop.ini
desktop.ini
==============================
C:\WINDOWS\SYSTEM32 cpl files


jpicpl32.cpl Sun Microsystems
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
redit.cpl
intl.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
access.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
SanCpl.cpl SiSoftware
powercfg.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyksgtxq]

[-HKEY_CLASSES_ROOT\CLSID\{4eb36105-95c2-41a7-8101-1b3ef0c9f665}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\windows\jnvra.dll
C:\windows\RMAgentOutput.dll
C:\windows\SYSTEM32\supdate.dll
C:\windows\SYSTEM32\redit.cpl
C:\windows\SYSTEM32\rkcyeoi.dll
C:\windows\SYSTEM32\ukvgr.dll
C:\windows\SYSTEM32\ssdfdks.dll
C:\windows\SYSTEM32\jakrd.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nacu.exe
C:\windows\system32\lpdxk4.exe


As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [winsync] C:\windows\system32\lpdxk4.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#7
dave901

dave901

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ACTIVESCAN results


Incident Status Location

Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\puygq.dat
Adware:Adware/QoolShown No disinfected C:\WINDOWS\SYSTEM32\baqxcrm.exe
Adware:Adware/PsGuard No disinfected C:\WINDOWS\SYSTEM32\msvol.tlb
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:Adware/RelatedLinks No disinfected C:\Program Files\HijackThis\backup-20040727-141703-740.dll
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\HijackThis\backup-20050206-222713-299.dll
Adware:Adware/WUpd No disinfected C:\Program Files\HijackThis\backup-20050206-222715-594.dll
Adware:Adware/IST.YourSiteBar No disinfected C:\Program Files\HijackThis\backup-20050206-222716-833.inf
Possible Virus. No disinfected C:\Documents and Settings\Dave\My Documents\Unzipped\Cxbx-0.7.8c\Cxbx-0.7.8c\Cxbx.dll


New Hijack This results

Logfile of HijackThis v1.99.1
Scan saved at 11:55:52 PM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
open Hijackthis and do a scan. Please check off the following items:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe


click FIX CHECKED then close Hijackthis


Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\windows\system32\lssas.exe
    C:\WINDOWS\iau.exe
    C:\WINDOWS\SYSTEM32\puygq.dat
    C:\WINDOWS\SYSTEM32\baqxcrm.exe
    C:\WINDOWS\SYSTEM32\msvol.tlb
    C:\WINDOWS\mstasks1.exe


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
please post a fresh Hijackthis log and let me know how your computer is running.


thanks,

:tazz:

Excal
  • 0

#9
dave901

dave901

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:35:40 PM, on 9/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\Mixer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.iwon.com"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dave\Application Data\Mozilla\Profiles\default\lh9tpwdk.slt\prefs.js)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\USB FlashDisk\UFD Utility 2003\UFDTool.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Looks pretty good :)


hows everything running?

:tazz:

Excal
  • 0

#11
dave901

dave901

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Everything seems to be running fine so far. Thanks for the help! I generally run McAfee, Spyware Blaster, and occasionally Adaware on my system and systems that I build for friends. Do you think this is enough or have any other suggestions?
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I would add adaware/spybot S&D and cleanup to your weekly cleaning :)

Great job, it appears your computer is clean :tazz:

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#13
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP