Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Yupsearch [RESOLVED]

Started by meow , Oct 04 2005 11:42 AM

  • This topic is locked This topic is locked

#1
meow
Posted 04 October 2005 - 11:42 AM

meow

    Member

  • Member
  • PipPip
  • 15 posts
hey,

ive got this hotbar attached to my explorer, ive done a virus check and cleaned up the system but its still there :tazz:.. i dont know wat to do..it pops up ads every few minz, and the uninstall doesnt work... pleaze help meee

heres my hijackthis logfile

Logfile of HijackThis v1.99.1
Scan saved at 10:47:56, on 04/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rycy\buxo.exe
C:\WINDOWS\iwgebn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\etb\pokapoka73.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\MEHREE~1.USE\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.107.3.3:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [buxo] C:\WINDOWS\system32\rycy\buxo.exe
O4 - HKLM\..\Run: [ChoUqTx4] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ddppuz.exe reg_run
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System service72] C:\WINDOWS\\\etb\\pokapoka72.exe
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\etb\pokapoka73.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk04583HK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.sho..._ms1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100105792769
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow...voice/voice.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE (file missing)
  • 0

Advertisements

#2
Buckeye_Sam
Posted 07 October 2005 - 08:19 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run directly from your desktop or a temp directory. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

Once you have Hijackthis running from a permanent folder, please reboot and post a new hijackthis log.
  • 0

#3
meow
Posted 08 October 2005 - 12:44 PM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
heyy!

thanks for helping :tazz:, i dowloaded it again into my C:\ drive, but when i ran Hijackthis it said it is running from a temp drive... i ran it again though

Logfile of HijackThis v1.99.1
Scan saved at 11:45:18, on 08/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rycy\buxo.exe
C:\WINDOWS\iwgebn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.107.3.3:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [buxo] C:\WINDOWS\system32\rycy\buxo.exe
O4 - HKLM\..\Run: [ChoUqTx4] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ddppuz.exe reg_run
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Symantec AntiVirus Client (2).lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk04583HK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.sho..._ms1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100105792769
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow...voice/voice.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE (file missing)
  • 0

#4
Buckeye_Sam
Posted 08 October 2005 - 01:00 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It's not in a temp directory, but it's not in a folder either. Go to your C drive and create a new folder. It doesn't matter what you name it. Then copy and paste Hijackthis.exe into that new folder.

Once you have that, post a new hijackthis log and we'll get you fixed up. :tazz:
  • 0

#5
meow
Posted 13 October 2005 - 09:06 AM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hey.... sorry for the late reply, thanks for helping, there was an earthquake in my country so been busy with that...

heres the new log

Logfile of HijackThis v1.99.1
Scan saved at 08:11:36, on 13/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rycy\buxo.exe
C:\WINDOWS\iwgebn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\etb\pokapoka75.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.107.3.2:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [buxo] C:\WINDOWS\system32\rycy\buxo.exe
O4 - HKLM\..\Run: [ChoUqTx4] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ddppuz.exe reg_run
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Symantec AntiVirus Client (2).lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk04583HK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.sho..._ms1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100105792769
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow...voice/voice.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE (file missing)
  • 0

#6
Buckeye_Sam
Posted 13 October 2005 - 03:45 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
No problem. Earthquakes always take precedence over computers. I hope everything is relatively ok.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

New.Net
Surf Accuracy
Media Access
My Web Search
My Search


Please download LQfix.exe from one of the following locations:
  • http://www.downloads.subratam.org/LQfix.exe
    http://miekiemoes.geekstogo.com/tools/LQfix.exe

  • Save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active Internet Connection, so make sure your you're not blocking any connection now.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
Then do a scan with HiJackThis and post a new log by using Add Reply
  • 0

#7
meow
Posted 14 October 2005 - 07:32 AM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hey there.. i did wat u asked, i cudnt find My web search and My search in add remove programs.. heres the Hijackthis log after running the LQfix.exe

Logfile of HijackThis v1.99.1
Scan saved at 06:35:05, on 14/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rycy\buxo.exe
C:\WINDOWS\iwgebn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.107.3.2:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [buxo] C:\WINDOWS\system32\rycy\buxo.exe
O4 - HKLM\..\Run: [ChoUqTx4] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ddppuz.exe reg_run
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Á³#  L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iwgebn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Symantec AntiVirus Client (2).lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk04583HK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.sho..._ms1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100105792769
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow...voice/voice.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE (file missing)
  • 0

#8
Buckeye_Sam
Posted 14 October 2005 - 07:44 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yeah, they don't always make it that easy to get rid of. :tazz:

Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O4 - HKLM\..\Run: [buxo] C:\WINDOWS\system32\rycy\buxo.exe
    O4 - HKLM\..\Run: [ChoUqTx4] C:\WINDOWS\iwgebn.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ddppuz.exe reg_run
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Á³# L"h'þ9Óœð3rÅWC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\iwgebn.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk04583HK
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.barg...MARKETING32.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
    O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab
    O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
    O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\WINDOWS\iwgebn.exe
    C:\WINDOWS\iwgebn.exe
    C:\WINDOWS\system32\ddppuz.exe
    C:\WINDOWS\system32\qlink32.dll
    C:\WINDOWS\system32\rycy <-- delete this folder
    C:\Program Files\ISTsvc <-- delete this folder



    Delete your temp files
    • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.
Reboot your computer to go back to normal mode.


Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • You may need to disable your antivirus program while this scan runs.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
  • Make sure to reenable your antivirus program if you disabled it.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#9
meow
Posted 15 October 2005 - 12:51 PM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey der.. i did all that u asked, the file C:\WINDOWS\system32\ddppuz.exe was there in my computer but i cudnt delete it, it said "make sure the disk is not full or write protected and that the file is not currently in use" i did ctrl alt del to see if its in use but it wasnt, i dont know why it wudnt delete.. and did the rest of the stuff then n let that file be .. here are the reports,

Panda virus scan report

Detected Disinfected
Virus
2 2
Spyware
18 0
Hacking Tools
0 0
Dialers
1 0
Security Risks
0 0
Suspicious files
0 0



Incident Status Location


Virus:Trj/Agent.AKT Disinfected Operating system
Adware:Adware/QoolShown No disinfected C:\WINDOWS\system32\wuauclt.dll
Adware:Adware/Qoologic No disinfected C:\WINDOWS\system32\llrronc.dll
Virus:Trj/Agent.AKT Disinfected Operating system
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\KAZAA\TopSearch.dll
Adware:adware/maxifiles No disinfected C:\PROGRAMFILES\COMMONFILES\services.exe
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd
Adware:adware/mssearch No disinfected C:\WINDOWS\SYSTEM32\toolbar.exe
Adware:adware/qoologic No disinfected C:\WINDOWS\SYSTEM32\wuauclt.dll
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:adware/consumeralertsystemNo disinfected C:\PROGRAM FILES\CasStub
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware/ist.yoursitebar No disinfected C:\PROGRAM FILES\YourSiteBar
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM32\AdCache
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/p2pnetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/elitebar No disinfected C:\Documents and

Settings\Mehreen.USER245\Favorites\Casino & Carrers
Adware:adware/ist.istbar No disinfected Windows Registry
Dialer:dialer.asl No disinfected

HKEY_CLASSES_ROOT\CLSID\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/searchresults No disinfected Windows Registry

Hijack this report

Logfile of HijackThis v1.99.1
Scan saved at 11:31:46, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.107.3.2:8080
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_204787] C:\WINDOWS\system32\ActiveScan\pavdr.exe 204787
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Symantec AntiVirus Client (2).lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} (Installer Class) - http://downloads.sho..._ms1002_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100105792769
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow...voice/voice.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE (file missing)
  • 0

#10
meow
Posted 15 October 2005 - 10:02 PM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
all my formating didnt come :tazz:.. on my previous post .. i shud view it before han.. but i pasted it .. n it was fine.. then when i posted it.. it all went away..

hmmm my comps got loads of virus han :) donno why!!..
  • 0

Advertisements

#11
Buckeye_Sam
Posted 16 October 2005 - 07:28 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We're getting there. We'll have a few more steps though.

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\system32\wuauclt.dll
      C:\WINDOWS\system32\llrronc.dll
      C:\PROGRAM FILES\KAZAA\TopSearch.dll
      C:\PROGRAMFILES\COMMONFILES\services.exe
      C:\WINDOWS\SYSTEM32\ide21201.vxd
      C:\WINDOWS\SYSTEM32\toolbar.exe
      C:\WINDOWS\NDNuninstall6_38.exe
      C:\PROGRAM FILES\CasStub
      C:\PROGRAM FILES\SideFind
      C:\PROGRAM FILES\YourSiteBar
      C:\WINDOWS\SYSTEM32\AdCache
      C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
      C:\WINDOWS\SYSTEM32\P2P Networking
      C:\WINDOWS\SYSTEM32\SahImages
      C:\Documents and Settings\Mehreen.USER245\Favorites\Casino & Carrers

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.



Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

#12
meow
Posted 17 October 2005 - 12:11 PM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
hey der,

i got the killbox, n tried pasting the data u told me to, it is only accepting the first 6 files, and not taking the rest, wat shud i do?..

i tried to copy the others and paste it, it stil wudnt do it, i'll keep on trying but lemme know if it wud take more then six or not.. thanks
  • 0

#13
Buckeye_Sam
Posted 17 October 2005 - 04:53 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
See if you can find the files/folders and manually delete them. It's not absolutely necessary to use Killbox. It's just much quicker and easier...when it works. :tazz:

Then go ahead and follow the directions and post the log from WinPFind.
  • 0

#14
meow
Posted 18 October 2005 - 10:22 AM

meow

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey der.. i am zee back!.. hmm i did use killbox, but wat i did was that i browsed and found these files and then deleted them :tazz: ismaart of me no? heh. ne hows.. heres the report..its quite long!

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 08/10/2005 PM 11:44:14 218112 C:\HijackThis.exe
winsync 08/10/2005 PM 11:45:20 6989 C:\hijackthis.log
UPX! 18/10/2005 PM 07:23:54 354 C:\patterns.txt
FSG! 18/10/2005 PM 07:23:54 354 C:\patterns.txt
PEC2 18/10/2005 PM 07:23:54 354 C:\patterns.txt
PECompact2 18/10/2005 PM 07:23:54 354 C:\patterns.txt
Umonitor 18/10/2005 PM 07:23:54 354 C:\patterns.txt
qoologic 18/10/2005 PM 07:23:54 354 C:\patterns.txt
aspack 18/10/2005 PM 07:23:54 354 C:\patterns.txt
PTech 18/10/2005 PM 07:23:54 354 C:\patterns.txt
urllogic 18/10/2005 PM 07:23:54 354 C:\patterns.txt
ad-beh 18/10/2005 PM 07:23:54 354 C:\patterns.txt
ad-behNior.com 18/10/2005 PM 07:23:54 354 C:\patterns.txt
sYVLLSAKY 18/10/2005 PM 07:23:54 354 C:\patterns.txt
_rtneg3 18/10/2005 PM 07:23:54 354 C:\patterns.txt
SAHAgent 18/10/2005 PM 07:23:54 354 C:\patterns.txt
buddy.exe 18/10/2005 PM 07:23:54 354 C:\patterns.txt
ZepMon 18/10/2005 PM 07:23:54 354 C:\patterns.txt
aurora.exe 18/10/2005 PM 07:23:54 354 C:\patterns.txt
;2x(V]@BMD 18/10/2005 PM 07:23:54 354 C:\patterns.txt
Tlji7Mk 18/10/2005 PM 07:23:54 354 C:\patterns.txt
KavSvc 18/10/2005 PM 07:23:54 354 C:\patterns.txt
69.59.186.63 18/10/2005 PM 07:23:54 354 C:\patterns.txt
209.66.67.134 18/10/2005 PM 07:23:54 354 C:\patterns.txt
66.63.167.97 18/10/2005 PM 07:23:54 354 C:\patterns.txt
66.63.167.77 18/10/2005 PM 07:23:54 354 C:\patterns.txt
abetterinternet.com 18/10/2005 PM 07:23:54 354 C:\patterns.txt
8B!7F\(T 18/10/2005 PM 07:23:54 354 C:\patterns.txt
testpopup 18/10/2005 PM 07:23:54 354 C:\patterns.txt
web-nex 18/10/2005 PM 07:23:54 354 C:\patterns.txt
yourkey 18/10/2005 PM 07:23:54 354 C:\patterns.txt
winsync 18/10/2005 PM 07:23:54 354 C:\patterns.txt
rec2_run 18/10/2005 PM 07:23:54 354 C:\patterns.txt
WinShutDown 18/10/2005 PM 07:23:54 354 C:\patterns.txt
ad-w-a-r-e.com 18/10/2005 PM 07:23:54 354 C:\patterns.txt
UPX! 18/10/2005 PM 07:23:56 206336 C:\winpfind.exe
qoologic 18/10/2005 PM 04:41:24 202953 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 21/07/2005 PM 03:13:32 52224 C:\WINDOWS\2tnoo011.exe
PECompact2 02/10/2005 PM 02:01:36 15988639 C:\WINDOWS\LPT$VPN.869
qoologic 02/10/2005 PM 02:01:36 15988639 C:\WINDOWS\LPT$VPN.869
SAHAgent 02/10/2005 PM 02:01:36 15988639 C:\WINDOWS\LPT$VPN.869
UPX! 03/05/2005 AM 11:44:44 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/01/2005 PM 04:17:24 170053 C:\WINDOWS\tsc.exe
PECompact2 02/10/2005 PM 02:01:36 15988639 C:\WINDOWS\VPTNFILE.869
qoologic 02/10/2005 PM 02:01:36 15988639 C:\WINDOWS\VPTNFILE.869
SAHAgent 02/10/2005 PM 02:01:36 15988639 C:\WINDOWS\VPTNFILE.869
UPX! 18/02/2005 PM 06:40:14 1044560 C:\WINDOWS\vsapi32.dll
aspack 18/02/2005 PM 06:40:14 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 30/09/2005 PM 11:40:56 35 C:\WINDOWS\SYSTEM32\2tnoo011.ini
PEC2 18/11/1996 PM 12:00:00 748160 C:\WINDOWS\SYSTEM32\CO2C40EN.DLL
UPX! 17/09/2001 PM 01:20:02 9216 C:\WINDOWS\SYSTEM32\cpuinf32.dll
PEC2 23/08/2001 PM 05:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
SAHAgent 21/07/2005 PM 03:14:24 30720 C:\WINDOWS\SYSTEM32\hmti6006.exe
SAHAgent 30/09/2005 PM 11:40:56 35 C:\WINDOWS\SYSTEM32\hmti6006.ini
69.59.186.63 18/10/2005 PM 07:22:46 133120 C:\WINDOWS\SYSTEM32\kkeel.dll
209.66.67.134 18/10/2005 PM 07:22:46 133120 C:\WINDOWS\SYSTEM32\kkeel.dll
web-nex 18/10/2005 PM 07:22:46 133120 C:\WINDOWS\SYSTEM32\kkeel.dll
winsync 18/10/2005 PM 07:22:46 133120 C:\WINDOWS\SYSTEM32\kkeel.dll
69.59.186.63 18/10/2005 PM 07:22:46 181760 C:\WINDOWS\SYSTEM32\llrronc.dll
209.66.67.134 18/10/2005 PM 07:22:46 181760 C:\WINDOWS\SYSTEM32\llrronc.dll
web-nex 18/10/2005 PM 07:22:46 181760 C:\WINDOWS\SYSTEM32\llrronc.dll
winsync 18/10/2005 PM 07:22:46 181760 C:\WINDOWS\SYSTEM32\llrronc.dll
UPX! 31/10/2001 AM 11:14:40 30720 C:\WINDOWS\SYSTEM32\mplaa6.dll
UPX! 31/10/2001 AM 11:14:40 30208 C:\WINDOWS\SYSTEM32\mplam6.dll
UPX! 31/10/2001 AM 11:14:40 29184 C:\WINDOWS\SYSTEM32\mplapx.dll
UPX! 31/10/2001 AM 11:14:40 30720 C:\WINDOWS\SYSTEM32\mplaw7.dll
UPX! 31/10/2001 AM 11:14:40 215040 C:\WINDOWS\SYSTEM32\mplva6.dll
UPX! 31/10/2001 AM 11:14:40 203264 C:\WINDOWS\SYSTEM32\mplvm6.dll
UPX! 31/10/2001 AM 11:14:40 245760 C:\WINDOWS\SYSTEM32\mplvpx.dll
UPX! 31/10/2001 AM 11:14:40 211456 C:\WINDOWS\SYSTEM32\mplvw7.dll
aspack 04/08/2004 AM 03:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
69.59.186.63 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
209.66.67.134 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
66.63.167.97 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
66.63.167.77 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
web-nex 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
winsync 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
rec2_run 30/09/2005 PM 11:12:48 264704 C:\WINDOWS\SYSTEM32\qool3.exe
Umonitor 04/08/2004 AM 03:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 22/07/2005 PM 02:22:16 230400 C:\WINDOWS\SYSTEM32\rsphc5e9.exe
SAHAgent 01/10/2005 AM 10:55:38 3140 C:\WINDOWS\SYSTEM32\rsphc5e9.ini
UPX! 30/09/2005 PM 11:07:10 223232 C:\WINDOWS\SYSTEM32\uci.exe
winsync 23/08/2001 PM 05:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
18/10/2005 PM 07:26:56 S 2048 C:\WINDOWS\bootstat.dat
30/09/2005 PM 11:14:48 S 50688 C:\WINDOWS\NDNuninstall6_38.exe
07/10/2005 PM 07:45:16 S 182272 C:\WINDOWS\NDNuninstall6_90.exe
25/08/2005 PM 07:32:42 H 54156 C:\WINDOWS\QTFont.qfn
18/10/2005 PM 07:14:10 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0483d65bc374a85b8274f34e5935f6a2\BIT33A.tmp
18/10/2005 PM 07:12:34 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0895e7ba3074ff06b086171e993094c0\BIT10.tmp
18/10/2005 PM 07:25:06 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\1f9b549b31aa4bd195878a487fdb1652\BIT3.tmp
18/10/2005 PM 07:12:48 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\23c929be5c0510672389df589a274f77\BIT11.tmp
18/10/2005 PM 07:13:08 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\380a38a73a09f3292579c9fb8f25506e\BIT12.tmp
18/10/2005 PM 07:13:58 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4026cb0febf76a3da2bed800f68f0022\BIT15.tmp
18/10/2005 PM 07:25:22 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\4cb70271437bd595be5bedba46ddc04f\BIT9.tmp
18/10/2005 PM 07:25:14 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\51242e062b4e8600968057f111cf9b54\BIT4.tmp
18/10/2005 PM 07:11:38 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5407e8c451ddfb412c72afc9f2c13337\BIT8.tmp
18/10/2005 PM 07:10:30 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6a20958623cd045973c06f6b85b8be34\BIT7.tmp
18/10/2005 PM 07:12:14 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7210e87e3912d997c94a92cc081e02d4\BITF.tmp
18/10/2005 PM 07:25:02 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7d081e62713e8f25f8ea1d3688031b5d\BIT2.tmp
18/10/2005 PM 07:12:02 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\810c536d786592e0efb9852931bf1ba6\BITE.tmp
18/10/2005 PM 07:11:04 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8a9c7d1cb99b6efff1f6b110c55b2ee9\BITC.tmp
18/10/2005 PM 07:14:04 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b394b842d9c4e6a28427fae777df59a\BIT339.tmp
18/10/2005 PM 07:24:58 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8d224a8639d0d3cd94106bd72168312a\BIT1.tmp
18/10/2005 PM 07:13:16 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\981593429475ef0704f5014344a18469\BIT13.tmp
18/10/2005 PM 07:25:32 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b2d5bf1528590d957dcebbe21530a5a7\BITA.tmp
18/10/2005 PM 07:11:26 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d37c7e708fc2513c5b94b4befbcaf6e9\BITD.tmp
18/10/2005 PM 07:10:42 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e6b7d12449da7f5e501f865d71be49c7\BITB.tmp
18/10/2005 PM 07:13:40 H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e741c3aa4e1fa87dd7e863074c4e2e43\BIT14.tmp
14/10/2005 PM 05:21:40 HS 8192 C:\WINDOWS\system32\Thumbs.db
18/10/2005 PM 07:26:48 H 8192 C:\WINDOWS\system32\config\default.LOG
18/10/2005 PM 07:27:18 H 1024 C:\WINDOWS\system32\config\SAM.LOG
18/10/2005 PM 07:26:58 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
18/10/2005 PM 07:27:18 H 65536 C:\WINDOWS\system32\config\software.LOG
18/10/2005 PM 07:27:02 H 892928 C:\WINDOWS\system32\config\system.LOG
30/09/2005 PM 11:28:14 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
30/09/2005 PM 11:28:14 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
30/09/2005 PM 11:28:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
30/09/2005 PM 11:28:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
30/09/2005 PM 11:28:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\459I6JE8\desktop.ini
30/09/2005 PM 11:28:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49WKZR9Y\desktop.ini
30/09/2005 PM 11:28:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\D4IOS0W4\desktop.ini
30/09/2005 PM 11:28:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TB5HD03E\desktop.ini
18/10/2005 PM 07:25:38 H 6 C:\WINDOWS\Tasks\SA.DAT
14/10/2005 PM 05:20:52 HS 7168 C:\WINDOWS\Web\Thumbs.db

Checking for CPL files...
03/04/2003 AM 12:17:40 172032 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03/06/2005 AM 03:52:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 PM 06:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 03/08/2004 PM 02:03:24 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 PM 05:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04/08/2004 AM 03:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 03/08/2004 PM 02:03:24 167704 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08/11/2004 PM 09:05:04 HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
18/10/2005 AM 06:52:44 417792 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rrkk.exe
05/10/2005 PM 11:24:10 785 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Symantec AntiVirus Client (2).lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
09/11/2004 AM 01:35:48 HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
08/11/2004 PM 09:05:04 HS 84 C:\Documents and Settings\Mehreen.USER245\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
09/11/2004 AM 01:35:46 HS 62 C:\Documents and Settings\Mehreen.USER245\Application Data\desktop.ini
24/09/2005 AM 10:24:54 105280 C:\Documents and Settings\Mehreen.USER245\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
acc=ventura5 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mmnnqkyk
{dd56d0cd-0785-4f9e-8097-6ae56ff9bae9} = C:\WINDOWS\system32\kkeel.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\system32\wuauclt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} = COMMUNICATOR : C:\WINDOWS\system32\communicator.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
winsync C:\WINDOWS\system32\ddppuz.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
googletalk "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^rrkk.exe
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rrkk.exe
backup C:\WINDOWS\pss\rrkk.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rrkk.exe
item rrkk
path C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rrkk.exe
backup C:\WINDOWS\pss\rrkk.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rrkk.exe
item rrkk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Mehreen.USER245^Start Menu^Programs^Startup^Zeno.lnk
path C:\Documents and Settings\Mehreen.USER245\Start Menu\Programs\Startup\Zeno.lnk
backup C:\WINDOWS\pss\Zeno.lnkStartup
location Startup
command C:\WINDOWS\system32\ysysrx6d.exe DO0605
item Zeno
path C:\Documents and Settings\Mehreen.USER245\Start Menu\Programs\Startup\Zeno.lnk
backup C:\WINDOWS\pss\Zeno.lnkStartup
location Startup
command C:\WINDOWS\system32\ysysrx6d.exe DO0605
item Zeno

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Mehreen.USER245^Start Menu^Programs^Startup^Zstart.lnk
path C:\Documents and Settings\Mehreen.USER245\Start Menu\Programs\Startup\Zstart.lnk
backup C:\WINDOWS\pss\Zstart.lnkStartup
location Startup
command C:\WINDOWS\system32\cxdxregt.exe DO0605
item Zstart
path C:\Documents and Settings\Mehreen.USER245\Start Menu\Programs\Startup\Zstart.lnk
backup C:\WINDOWS\pss\Zstart.lnkStartup
location Startup
command C:\WINDOWS\system32\cxdxregt.exe DO0605
item Zstart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\002
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item medgs1
hkey HKLM
command C:\WINDOWS\system32\medgs1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item medgs1
hkey HKLM
command C:\WINDOWS\system32\medgs1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\180ClientStubInstall
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sais
hkey HKCU
command "C:\DOCUME~1\MEHREE~1.USE\LOCALS~1\Temp\sais.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sais
hkey HKCU
command "C:\DOCUME~1\MEHREE~1.USE\LOCALS~1\Temp\sais.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BluetoothAuthenticationAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rundll32
hkey HKLM
command rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rundll32
hkey HKLM
command rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BrowserUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ysysrx6d
hkey HKLM
command C:\WINDOWS\system32\ysysrx6d.exe DO0605
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ysysrx6d
hkey HKLM
command C:\WINDOWS\system32\ysysrx6d.exe DO0605
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\buxo
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item buxo
hkey HKLM
command C:\WINDOWS\system32\rycy\buxo.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item buxo
hkey HKLM
command C:\WINDOWS\system32\rycy\buxo.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CardGate
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CardGate
hkey HKLM
command "C:\Program Files\Softick\CardExport\CardGate.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CardGate
hkey HKLM
command "C:\Program Files\Softick\CardExport\CardGate.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CAS Client
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item casclient
hkey HKCU
command "C:\Program Files\Cas\Client\casclient.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item casclient
hkey HKCU
command "C:\Program Files\Cas\Client\casclient.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ChoUqTx4
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iwgebn
hkey HKLM
command C:\WINDOWS\iwgebn.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iwgebn
hkey HKLM
command C:\WINDOWS\iwgebn.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DNS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-58-12-0000119
hkey HKCU
command C:\Program Files\Common Files\mc-58-12-0000119.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-58-12-0000119
hkey HKCU
command C:\Program Files\Common Files\mc-58-12-0000119.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\exp.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item exp
hkey HKLM
command C:\WINDOWS\system32\exp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item exp
hkey HKLM
command C:\WINDOWS\system32\exp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\googletalk
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item googletalk
hkey HKCU
command "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item googletalk
hkey HKCU
command "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GsAds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gms2
hkey HKLM
command C:\WINDOWS\system32\gms2.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gms2
hkey HKLM
command C:\WINDOWS\system32\gms2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IST Service
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item istsvc
hkey HKLM
command C:\Program Files\ISTsvc\istsvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item istsvc
hkey HKLM
command C:\Program Files\ISTsvc\istsvc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Access
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaAccK
hkey HKLM
command C:\Program Files\Media Access\MediaAccK.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaAccK
hkey HKLM
command C:\Program Files\Media Access\MediaAccK.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~1
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~1
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\opr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item opr
hkey HKLM
command C:\WINDOWS\system32\opr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item opr
hkey HKLM
command C:\WINDOWS\system32\opr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Power Scan
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item powerscan
hkey HKLM
command C:\Program Files\Power Scan\powerscan.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item powerscan
hkey HKLM
command C:\Program Files\Power Scan\powerscan.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSof1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSof1
hkey HKLM
command C:\WINDOWS\system32\PSof1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSof1
hkey HKLM
command C:\WINDOWS\system32\PSof1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rsphc5e9
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rsphc5e9
hkey HKLM
command C:\WINDOWS\system32\rsphc5e9.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rsphc5e9
hkey HKLM
command C:\WINDOWS\system32\rsphc5e9.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\services32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-58-12-0000119
hkey HKCU
command C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mc-58-12-0000119
hkey HKCU
command C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\stb
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item stb
hkey HKLM
command C:\WINDOWS\system32\stb.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item stb
hkey HKLM
command C:\WINDOWS\system32\stb.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SurfAccuracy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SAcc
hkey HKLM
command C:\Program Files\SurfAccuracy\SAcc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SAcc
hkey HKLM
command C:\Program Files\SurfAccuracy\SAcc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System service70
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pokapoka70
hkey HKLM
command C:\WINDOWS\\\etb\\pokapoka70.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pokapoka70
hkey HKLM
command C:\WINDOWS\\\etb\\pokapoka70.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vptray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vptray
hkey HKLM
command C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vptray
hkey HKLM
command C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ssggdd
hkey HKLM
command C:\WINDOWS\system32\ssggdd.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ssggdd
hkey HKLM
command C:\WINDOWS\system32\ssggdd.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinTask driver
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wintask
hkey HKLM
command C:\WINDOWS\system32\wintask.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wintask
hkey HKLM
command C:\WINDOWS\system32\wintask.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ZStart
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wpdxregv
hkey HKLM
command c:\windows\system32\wpdxregv.exe DO0605
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wpdxregv
hkey HKLM
command c:\windows\system32\wpdxregv.exe DO0605
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gnotify
hkey HKLM
command C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gnotify
hkey HKLM
command C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 18/10/2005 PM 07:40:20
  • 0

#15
Buckeye_Sam
Posted 18 October 2005 - 04:14 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mmnnqkyk]

[-HKEY_CLASSES_ROOT\CLSID\{dd56d0cd-0785-4f9e-8097-6ae56ff9bae9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!





Please delete these files, either manually or with Killbox.

C:\WINDOWS\2tnoo011.exe
C:\WINDOWS\iwgebn.exe
C:\WINDOWS\SYSTEM32\hmti6006.exe
C:\WINDOWS\SYSTEM32\hmti6006.ini
C:\WINDOWS\SYSTEM32\kkeel.dll
C:\WINDOWS\SYSTEM32\llrronc.dll
C:\WINDOWS\SYSTEM32\qool3.exe
C:\WINDOWS\SYSTEM32\rsphc5e9.exe
C:\WINDOWS\SYSTEM32\rsphc5e9.ini
C:\WINDOWS\SYSTEM32\uci.exe
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall6_90.exe
C:\WINDOWS\system32\ddppuz.exe
C:\WINDOWS\system32\ysysrx6d.exe
C:\WINDOWS\system32\cxdxregt.exe
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\ssggdd.exe
C:\WINDOWS\system32\wintask.exe
c:\windows\system32\wpdxregv.exe
C:\WINDOWS\system32\stb.exe
C:\WINDOWS\system32\opr.exe
C:\WINDOWS\system32\gms2.exe
C:\Program Files\Power Scan\powerscan.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\rycy\buxo.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000119.exe
C:\Program Files\Common Files\mc-58-12-0000119.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\rrkk.exe
C:\Documents and Settings\Mehreen.USER245\Start Menu\Programs\Startup\Zstart.lnk


Reboot your computer.


Please download WebRoot SpySweeper (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Please run msconfig and enable all startup items. Now reboot once more and post a new hijackthis log and the log from Spysweeper.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP