[jimbo1046]

Hi Help Needed.

On startup, PSGuard always runs and no matter what I seem to do I can't budge it. Also recently I have other problems which I hope are fixed but may help anyone reading my log. Firstly my homepage was continually hijacked and an e-search web site was put in its place. Also I had small icons next to my clock saying your computer is infected, please click here." As I have said these problems seem to have gone. Finally since I have been having all this trouble my internet seems to slow down to almost snail place after I have been online for five minutes.
As far as what I have done, I have ran AdAware, CWShredder, Spybot, and TrojanHunter, both in normal and safe mode. The Ewido could not run on my WindowsME system and the Panda and Trend online scans would not run. I downloaded the free AVG Virus program, which at first I thought had fixed the problems, however the result of running that meant Internet Explorer and MSN Messenger would not connect. Internet Explorer said it was a syntax error and MSN said it was "temporarily unavailable. Yet other programs such as Outlook Express did work. On uninstalling AVG both these programs worked again. However this meant the return of PSGuard and the slow internet speed. So that brings you upto speed.
Thanks for any help given. Here is my log:
James

Logfile of HijackThis v1.99.1
Scan saved at 20:30:11, on 29/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

[Advertisements]

Hi jimbo1046 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

• Click on My Controls at the top right hand corner of the window.
  
• In the left hand column, click "View Topics"
  
• If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Run HijackThis
  
• Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[Trevuren]

Hi jimbo1046 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

• Click on My Controls at the top right hand corner of the window.
  
• In the left hand column, click "View Topics"
  
• If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Run HijackThis
  
• Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[jimbo1046]

Hi Trevuren,
Did what you asked, hope I didn't muck anything up:

Logfile of HijackThis v1.99.1
Scan saved at 09:41:27, on 30/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

[Trevuren]

• Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
  • Double click the Smitrem.exe icon on your Desktop.
  • Then click Run>Start and a Smitrem folder will apear on your desktop also.
• Place a shortcut to Panda ActiveScan on your desktop.
  
  
• Install Ad-Aware SE 1.06, follow these download and setup instructions.
  • Ad-Aware SE Setup
  • Update the definitions
  • DO NOT RUN IT YET
• REBOOT your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
• Now open HJT, click SCAN and place a checkmark next to each of the following items:
  
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
  R3 - Default URLSearchHook is missing
  O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
  O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
  O15 - Trusted Zone: *.awmdabest.com (HKLM)
  O15 - Trusted Zone: *.iframedollars.biz (HKLM)
  O15 - Trusted IP range: 213.159.117.202
  O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
  
  
  
• Click the Fix Checked box and EXIT HJT
  
  
• Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:
  
  C:\WINDOWS\SYSTEM\intell32.exe
  C:\Program Files\P.S.Guard<==Folder
  
  
• Open the smitRem folder
  • Double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  
  NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  
  
• Open Ad-aware and do a full scan. Remove all it finds.
  
  
• Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
• Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Remove the check by "View my Active desktop as a web page".
  Click OK then Apply and OK
  
  
• REBOOT back into Normal Mode
  
  
• Click the Panda ActiveScan shortcut
  • Do a full system scan.
  • Make sure the autoclean box is checked!
• Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know if any problems persist.

Regards,

Trevuren

[jimbo1046]

Hi Trevuren,

Still having problems I’m afraid. The PSGUARD still starts up, the icon saying "your computer is infected!" is still in the bottom right toolbar and the problem with internet explorer and the connection has not gone away. I completed the instructions 1-7 successfully. The smitRem program however found an infected file which is on the log. I ran Ad-aware, and it found critical objects, however when it came to cleaning, it completed them all, except it then came up with a message saying “Some objects could not be removed. Try closing all open browser windows prior to the removal etc. C:\_RESTORE\TEMP\INTELL32.0 could not be removed. Ad-aware run after next reboot etc? I ran Ad-aware another two times, on both times the same message came up, the first one was …INTELL32.1 though, and the second time it came up with C:\_RESTORE\TEMP\INTELL32.0.

Ewido will not run on my computer as I have WindowsME.. Step 11, I do not have a Web setting on my Display properties. Not sure if this is a fault.

The PandaActive Scan will not work, as when it comes up with the boxes to enter your country etc along with your e-mail there are no options in the scroll down box.

Here is my HijackThis and smit rem logs. Thanks.

James

Logfile of HijackThis v1.99.1
Scan saved at 22:26:18, on 30/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\NUAITD.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\nuaitd.exe reg_run
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: dtni.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted IP range: 213.159.117.202



smitRem log file
version 2.5

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe


~~~ Miscellaneous Files/folders ~~~



winstall.exe

~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~






~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!

[Trevuren]

1. The fact that Ewido does not run on your system is not surprising. I should have omitted than scan but forgot.

2. What ad-aware is finding are infected files in your System Restore cache, so not gangerous unless you restore your system. This cache will be emptied at the end.

3. That is the first time that I have heard that about Panda Scan. Make sure that you allow ActiveX components. I personnally think that this was just a temporary glitch on the site. I just tries and it works now.

4. The only real problem I see now is the infected wininet.dll. This happens often on non NT systems.

5. I need you to use the Windows Search function, and locate all instances of "wininet.dll" on your system.

6. Please copy the info and post it ALL into this thread and we will proceed from there.

Take heart, I am optimistic


Regards,

Trevuren

[jimbo1046]

Hi Trevuren,

Thanks for helping. Glad you're optimistic, i'm not! Tho only place i can find that file is in C:\WINDOWS\SYSTEM. As for Panda, I still can't get on, so it must be my computer. Its the Fill In section that doesn't work. How do I go about getting the ActiveX controls right? Here is my log if you need it. Thanks. James. P.S I've already told you about the internet, just wondering if you've heard of this problem before?? basically after about 5-10 minutes, no sites will load and i have to restart the computer, although i know the cnnection is still active through using other programs.

Logfile of HijackThis v1.99.1
Scan saved at 23:56:37, on 30/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\DTNI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\nuaitd.exe reg_run
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: dtni.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted IP range: 213.159.117.202

[Trevuren]

We will have to leave the internet problem until things are sorted out with the malware. Haven't done this manually in a while. Will be fun. ME is hard to work with.

Please Download the following tools to assist us in removing this infection!

• Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
• Download Trackgoo
  • Save it somewhere you will remember like the Desktop

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

• Click "Start Scan"
• It will scan the entire System, so please be patient!
• Once the Scan is Complete
• Go to the WinPFind folder
• Locate WinPFind.txt
• Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up. Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,

Trevuren

[jimbo1046]

Hi Trevuren,
Did that stuff. Here are the posts. Thanks.
James

Logfile of HijackThis v1.99.1
Scan saved at 10:13:53, on 01/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\nuaitd.exe reg_run
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: dtni.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted IP range: 213.159.117.202

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
KavSvc 01/10/2005 09:57:50 RH 3604512 C:\WINDOWS\SYSTEM.DAT
winsync 01/10/2005 09:57:50 RH 3604512 C:\WINDOWS\SYSTEM.DAT
web-nex 17/08/2005 10:13:14 4058 C:\WINDOWS\akjzn.dll
69.59.186.63 01/10/2005 09:51:08 181760 C:\WINDOWS\koioclo.dll
209.66.67.134 01/10/2005 09:51:08 181760 C:\WINDOWS\koioclo.dll
web-nex 01/10/2005 09:51:08 181760 C:\WINDOWS\koioclo.dll
winsync 01/10/2005 09:51:08 181760 C:\WINDOWS\koioclo.dll
69.59.186.63 01/10/2005 09:51:08 133120 C:\WINDOWS\glfwm.dll
209.66.67.134 01/10/2005 09:51:08 133120 C:\WINDOWS\glfwm.dll
web-nex 01/10/2005 09:51:08 133120 C:\WINDOWS\glfwm.dll
winsync 01/10/2005 09:51:08 133120 C:\WINDOWS\glfwm.dll

Checking %System% folder...
PTech 22/08/1998 00:24:08 74460 C:\WINDOWS\SYSTEM\OLFAXDRV.DRV
FSG! 04/06/2002 09:01:36 537600 C:\WINDOWS\SYSTEM\rmme3260.dll
UPX! 22/11/2002 16:21:28 123904 C:\WINDOWS\SYSTEM\avisynth.dll
UPX! 30/09/2005 21:47:44 6144 C:\WINDOWS\SYSTEM\intell32.exe
PTech 25/06/2001 12:22:26 R 7832 C:\WINDOWS\SYSTEM\lxblinst.drv
UPX! 29/09/2005 08:57:10 29696 C:\WINDOWS\SYSTEM\PSof1.exe.tcf
qoologic 29/12/2004 15:46:54 7797257 C:\WINDOWS\SYSTEM\pav.sig
aspack 29/12/2004 15:46:54 7797257 C:\WINDOWS\SYSTEM\pav.sig
SAHAgent 29/12/2004 15:46:54 7797257 C:\WINDOWS\SYSTEM\pav.sig
winsync 29/12/2004 15:46:54 7797257 C:\WINDOWS\SYSTEM\pav.sig
UPX! 12/07/2005 10:49:58 65024 C:\WINDOWS\SYSTEM\thin-138-1-x-x.exe
69.59.186.63 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
209.66.67.134 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
66.63.167.97 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
66.63.167.77 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
web-nex 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
winsync 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
rec2_run 30/09/2005 20:59:42 30720 C:\WINDOWS\SYSTEM\wuauclt.dll
aspack 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
KavSvc 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
69.59.186.63 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
209.66.67.134 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
66.63.167.97 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
66.63.167.77 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
web-nex 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
yourkey 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf
rec2_run 29/09/2005 08:57:14 29184 C:\WINDOWS\SYSTEM\supdate.dll.tcf

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
01/10/2005 10:02:40 RH 6131744 C:\WINDOWS\CLASSES.DAT
01/10/2005 09:57:50 RH 3604512 C:\WINDOWS\SYSTEM.DAT
01/10/2005 10:03:48 RH 1638432 C:\WINDOWS\USER.DAT
30/09/2005 23:25:22 H 18516 C:\WINDOWS\ttfCache
30/09/2005 22:54:28 H 54156 C:\WINDOWS\QTFont.qfn
01/10/2005 09:55:58 H 1469662 C:\WINDOWS\ShellIconCache
31/08/2005 20:39:36 H 8628 C:\WINDOWS\SYSTEM\E_QI021E.GID
28/09/2005 21:39:54 H 1566 C:\WINDOWS\SYSTEM\vsconfig.xml
03/09/2005 15:52:10 H 4212 C:\WINDOWS\SYSTEM\zllictbl.dat
01/10/2005 09:57:46 H 21206 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
01/10/2005 09:50:52 H 6 C:\WINDOWS\TASKS\SA.DAT
27/08/2005 15:57:56 HS 9216 C:\WINDOWS\DRM\drmv2.sst
01/10/2005 09:57:18 HS 2138 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
01/10/2005 09:55:56 H 340 C:\WINDOWS\Application Data\Microsoft\MSN Messenger\2590229487\sqmdata00.sqm
01/09/2005 20:43:02 HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GZEBCR6L\desktop.ini
29/09/2005 10:02:12 HS 118 C:\WINDOWS\Recent\Desktop.ini

Checking for CPL files...
Microsoft Corporation 31/05/2000 13:17:14 15152 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 29/08/2002 07:07:38 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 08/06/2000 17:00:00 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 08/06/2000 17:00:00 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 08/06/2000 17:00:00 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 08/06/2000 17:00:00 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 08/06/2000 17:00:00 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 08/06/2000 17:00:00 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 08/06/2000 17:00:00 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 08/06/2000 17:00:00 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 08/06/2000 17:00:00 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 08/06/2000 17:00:00 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 08/06/2000 17:00:00 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 08/06/2000 17:00:00 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 08/06/2000 17:00:00 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 30/10/2001 08:10:00 442368 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 08/06/2000 17:00:00 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 08/06/2000 17:00:00 15360 C:\WINDOWS\SYSTEM\THEMES.CPL
Apple Computer, Inc. 27/08/1996 02:12:00 R 259280 C:\WINDOWS\SYSTEM\QTW16.CPL
Apple Computer, Inc. 26/08/1996 02:12:00 R 341504 C:\WINDOWS\SYSTEM\QTW32.CPL
Apple Computer, Inc. 25/03/2003 21:06:28 295936 C:\WINDOWS\SYSTEM\QuickTime.cpl
PCtel, Inc. 10/10/2000 15:01:44 56832 C:\WINDOWS\SYSTEM\PTCTRL.CPL
Microsoft Corporation 10/02/1999 11:48:48 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL
30/07/1998 05:44:02 14336 C:\WINDOWS\SYSTEM\PMXUSB.CPL
Sun Microsystems, Inc. 06/12/2004 21:31:48 49265 C:\WINDOWS\SYSTEM\jpicpl32.cpl
30/09/2005 20:59:42 31744 C:\WINDOWS\SYSTEM\vgactl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
01/10/2005 09:51:08 417792 C:\WINDOWS\Start Menu\Programs\StartUp\dtni.exe

Checking files in %USERPROFILE%\Application Data folder...
01/10/2005 00:23:26 5820 C:\WINDOWS\Application Data\dw.log
22/09/2005 09:29:52 0 C:\WINDOWS\Application Data\Install.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4} = C:\Program Files\Trend PC-cillin 2000\TMDSHELL.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4} = C:\Program Files\Trend PC-cillin 2000\TMDSHELL.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
MenuText = :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN : C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
MSConfigReminder C:\WINDOWS\SYSTEM\msconfig.exe /reminder
autoupdate rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
winsync C:\WINDOWS\nuaitd.exe reg_run
P.S.Guard C:\Program Files\P.S.Guard\PSGuard.exe
intell32.exe C:\WINDOWS\SYSTEM\intell32.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
LexStart lexstart.exe
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
THGuard "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]
TrueVector C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook {BCBCD383-3E06-11D3-91A9-00C04F68105C} = C:\WINDOWS\SYSTEM\AUHOOK.DLL

<<< WARNING! - NOT A VALID WIN98/ME KEY! >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit =
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 01/10/2005 10:11:11


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WUAUCLT.DLL,SHStart"
"winsync"="C:\\WINDOWS\\nuaitd.exe reg_run"
"P.S.Guard"="C:\\Program Files\\P.S.Guard\\PSGuard.exe"
"intell32.exe"="C:\\WINDOWS\\SYSTEM\\intell32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- ScanMenu
{48f45200-91e6-11ce-8a4f-0080c81a28d4}
C:\Program Files\Trend PC-cillin 2000\TMDSHELL.DLL

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\PROGRAM FILES\WINRAR\rarext.dll

Subkey --- TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}
C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {7ab770c7-0e23-4d7a-8aa2-19bfad479829}
C:\WINDOWS\SYSTEM\SHELL32.DLL

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINDOWS\SYSTEM\DOCPROP2.DLL

==============================
C:\WINDOWS\All Users\Start Menu\Programs\StartUp

==============================
C:\WINDOWS\Start Menu\Programs\StartUp

dtni.exe
==============================
C:\WINDOWS\SYSTEM cpl files


WUAUCPL.CPL Microsoft Corporation
INETCPL.CPL Microsoft Corporation
INTL.CPL Microsoft Corporation
MODEM.CPL Microsoft Corporation
ODBCCP32.CPL Microsoft Corporation
POWERCFG.CPL Microsoft Corporation
APPWIZ.CPL Microsoft Corporation
DESK.CPL Microsoft Corporation
MAIN.CPL Microsoft Corporation
MMSYS.CPL Microsoft Corporation
NETCPL.CPL Microsoft Corporation
PASSWORD.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
TELEPHON.CPL Microsoft Corporation
TIMEDATE.CPL Microsoft Corporation
JOY.CPL Microsoft Corporation
ACCESS.CPL Microsoft Corporation
THEMES.CPL Microsoft Corporation
QTW16.CPL Apple Computer, Inc.
QTW32.CPL Apple Computer, Inc.
QuickTime.cpl Apple Computer, Inc.
PTCTRL.CPL PCtel, Inc.
FINDFAST.CPL Microsoft Corporation
PMXUSB.CPL
jpicpl32.cpl Sun Microsystems, Inc.
vgactl.cpl

[Trevuren]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1. Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.


2. Open Pocket Killbox

• Copy & Paste the entries below into the "Full Path of File to Delete"
  
  C:\WINDOWS\SYSTEM\WUAUCLT.DLL
  C:\WINDOWS\nuaitd.exe
  C:\WINDOWS\akjzn.dll
  C:\WINDOWS\koioclo.dll
  C:\WINDOWS\glfwm.dll
  C:\WINDOWS\SYSTEM\intell32.exe
  C:\WINDOWS\SYSTEM\PSof1.exe.tcf
  C:\WINDOWS\SYSTEM\vgactl.cpl
  C:\WINDOWS\SYSTEM\pav.sig
  C:\WINDOWS\SYSTEM\supdate.dll.tcf
  C:\WINDOWS\SYSTEM\thin-138-1-x-x.exe
  C:\WINDOWS\Start Menu\Programs\StartUp\dtni.exe
  
  
  
• As you Paste each entry into Killbox, place a check beside any of these Selections available:
  • "Delete on Reboot"
  • "Unregister .dll before Deleting"
• Click the Red Circle with the White X in the Middle to Delete!
  
  
• REBOOT in Safe Mode and Run those files through Killbox once more to be sure nothing survived.
  
  *This time place a checkmark by any of these selections available:
  • "Standard File Kill"
  • "End Explorer Shell while Killing File"
  • "Unregister .dll before Deleting"

3. Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

4. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\nuaitd.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

5. REBOOT back in Normal Mode

6. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[jimbo1046]

Hi,
Did all you asked, apart from Step 3. I was unable to locate the file. I ran a *.red search, however that file did not appear. Here is my most recent log.
Thanks
James

Logfile of HijackThis v1.99.1
Scan saved at 20:42:23, on 01/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted IP range: 213.159.117.202

[Trevuren]

• Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
  • Double click the Smitrem.exe icon on your Desktop.
  • Then click Run>Start and a Smitrem folder will apear on your desktop also.
• Place a shortcut to Panda ActiveScan on your desktop.
  
  
• Install Ad-Aware SE 1.06, follow these download and setup instructions.
  • Ad-Aware SE Setup
  • Update the definitions
  • DO NOT RUN IT YET
• REBOOT your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
• Now open HJT, click SCAN and place a checkmark next to each of the following items:
  
  O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
  O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
  O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
  O15 - Trusted IP range: 213.159.117.202
  
  
  
• Click the Fix Checked box and EXIT HJT
  
  
• Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:
  
  C:\Program Files\P.S.Guard<==Folder
  C:\WINDOWS\SYSTEM\intell32.exe
  
  
• Open the smitRem folder
  • Double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  
  NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
  
  
• Open Ad-aware and do a full scan. Remove all it finds.
  
  
  
• Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Remove the check by "View my Active desktop as a web page".
  Click OK then Apply and OK
  
  
• REBOOT back into Normal Mode
  
  
• Click the Panda ActiveScan shortcut
  • Do a full system scan.
  • Make sure the autoclean box is checked!
• Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know if any problems persist.

Regards,

Trevuren

[jimbo1046]

Hi Trevuren.

Did all you asked but still the same problems as last time. Still getting P.S Guard starting up everytime i access internet explorer or msn. Cannot run Panda scan as i still have the same problem. Plus have checked and my active x controls are working.
So not sure where to go from here

Logfile of HijackThis v1.99.1
Scan saved at 21:59:02, on 01/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab


smitRem log file
version 2.5

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~






~~~~ wininet.dll ~~~~

wininet.dll INFECTED!!

[Trevuren]

1. Please do a Search on your system for every instance of wininet.dll

2. Please report the full path of every instance that you find.


Regards,

Trevuren

[Trevuren]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.