Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Look2me has my XP box


  • Please log in to reply

#1
LeatherCat

LeatherCat

    Member

  • Member
  • PipPip
  • 14 posts
Evenin all happy and smiling people :)
I've been fighting :tazz: with a super resistant malware infection on an Emachine running XP Home (service pack 1 installed) So far I've followed all the instructions in the preamble to this forum. CWshredder, Adaware, Ewido. etc.. (Even the Microsoft/Giant product) and still have unwanted pop-ups and a VERY slow machine. After a number of cycles through the recomended initial steps, Ewido is the the only program able to identify any problems. I will consistantly report the look2me program, says it's deleted and then upon reboot -- IT'S BACK. So I need help here. Hijack log follows:
(N.B. sent from a secure Linux box)

[xme@whip xme]$ cat hijackthis.log
Logfile of HijackThis v1.99.1
Scan saved at 6:14:03 PM, on 10/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ZipToA.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\active\common\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...nt/wuweb_site.c
ab?1095293862129
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...usecall/xscan53
.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi LeatherCat and Welcome to GeekstoGo!

You HijackThis log doesnt show us a whole lot,so lets look a bit deeper!

Update Ewido with the latest definitions and we will use it in Safe Mode!


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


While in Safe Mode and with All Windows and Browsers Closed-> Scan the System with Ewido-> Clean all it finds and be sure to click the tab to Save a Report!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from WinPFind-> Ewido and Panda!
  • 0

#3
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Ok here it is:

This first one worries me a bit. I knew it was self regenerating but ....!!!!
from WinPFind

[xme@whip xme]$ cat WinPFind.Txt
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

����������������� Windows OS and Versions �������������������������������
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

����������������� Checking Selected Standard Folders ��������������������

Checking %SystemDrive% folder...
aspack 10/18/2004 8:47:48 AM 5587526 C:\msbb_kyf.dat

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
qoologic 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
SAHAgent 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
qoologic 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
SAHAgent 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
WinShutDown 9/20/2005 9:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\afi2dvaa.dll
ad-w-a-r-e.com 9/20/2005 9:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\afi2dvaa.dll
WinShutDown 9/21/2005 6:33:50 PM R S 234272 C:\WINDOWS\SYSTEM32\ajstream.dll
ad-w-a-r-e.com 9/21/2005 6:33:50 PM R S 234272 C:\WINDOWS\SYSTEM32\ajstream.dll
WinShutDown 9/20/2005 8:00:40 PM R S 234272 C:\WINDOWS\SYSTEM32\amfsipc.dll
ad-w-a-r-e.com 9/20/2005 8:00:40 PM R S 234272 C:\WINDOWS\SYSTEM32\amfsipc.dll
WinShutDown 9/20/2005 7:31:38 AM R S 234272 C:\WINDOWS\SYSTEM32\ATPXEC32.DLL
ad-w-a-r-e.com 9/20/2005 7:31:38 AM R S 234272 C:\WINDOWS\SYSTEM32\ATPXEC32.DLL
WinShutDown 9/20/2005 5:23:34 AM R S 234272 C:\WINDOWS\SYSTEM32\ayvapi32.dll
ad-w-a-r-e.com 9/20/2005 5:23:34 AM R S 234272 C:\WINDOWS\SYSTEM32\ayvapi32.dll
WinShutDown 9/22/2005 5:57:16 AM R S 234272 C:\WINDOWS\SYSTEM32\azctres.dll
ad-w-a-r-e.com 9/22/2005 5:57:16 AM R S 234272 C:\WINDOWS\SYSTEM32\azctres.dll
WinShutDown 9/20/2005 2:58:40 PM R S 234272 C:\WINDOWS\SYSTEM32\cbfgnt.dll
ad-w-a-r-e.com 9/20/2005 2:58:40 PM R S 234272 C:\WINDOWS\SYSTEM32\cbfgnt.dll
WinShutDown 9/19/2005 11:16:30 PM R S 234272 C:\WINDOWS\SYSTEM32\chutil.dll
ad-w-a-r-e.com 9/19/2005 11:16:30 PM R S 234272 C:\WINDOWS\SYSTEM32\chutil.dll
WinShutDown 9/22/2005 4:43:18 AM R S 234272 C:\WINDOWS\SYSTEM32\CKMMTB32.DLL
ad-w-a-r-e.com 9/22/2005 4:43:18 AM R S 234272 C:\WINDOWS\SYSTEM32\CKMMTB32.DLL
WinShutDown 9/19/2005 3:59:24 PM R S 234272 C:\WINDOWS\SYSTEM32\cnlbact.dll
ad-w-a-r-e.com 9/19/2005 3:59:24 PM R S 234272 C:\WINDOWS\SYSTEM32\cnlbact.dll
WinShutDown 9/20/2005 12:22:30 AM R S 234272 C:\WINDOWS\SYSTEM32\cpcui.dll
ad-w-a-r-e.com 9/20/2005 12:22:30 AM R S 234272 C:\WINDOWS\SYSTEM32\cpcui.dll
WinShutDown 9/21/2005 5:30:42 AM R S 234272 C:\WINDOWS\SYSTEM32\crmcat.dll
ad-w-a-r-e.com 9/21/2005 5:30:42 AM R S 234272 C:\WINDOWS\SYSTEM32\crmcat.dll
WinShutDown 9/21/2005 2:12:50 PM R S 234272 C:\WINDOWS\SYSTEM32\cTis2022.dll
ad-w-a-r-e.com 9/21/2005 2:12:50 PM R S 234272 C:\WINDOWS\SYSTEM32\cTis2022.dll
WinShutDown 9/22/2005 11:05:24 AM R S 234272 C:\WINDOWS\SYSTEM32\cZpesnpn.dll
ad-w-a-r-e.com 9/22/2005 11:05:24 AM R S 234272 C:\WINDOWS\SYSTEM32\cZpesnpn.dll
WinShutDown 9/21/2005 10:11:48 AM R S 234272 C:\WINDOWS\SYSTEM32\dcnet.dll
ad-w-a-r-e.com 9/21/2005 10:11:48 AM R S 234272 C:\WINDOWS\SYSTEM32\dcnet.dll
PECWinShutDown 9/21/2005 11:32:46 AM R S 234272 C:\WINDOWS\SYSTEM32\dktrans.dll
ad-w-a-r-e.com 9/21/2005 11:32:46 AM R S 234272 C:\WINDOWS\SYSTEM32\dktrans.dll
WinShutDown 9/21/2005 12:09:42 AM R S 234272 C:\WINDOWS\SYSTEM32\dyvenum.dll
ad-w-a-r-e.com 9/21/2005 12:09:42 AM R S 234272 C:\WINDOWS\SYSTEM32\dyvenum.dll
WinShutDown 9/21/2005 6:44:42 AM R S 234272 C:\WINDOWS\SYSTEM32\ews.dll
ad-w-a-r-e.com 9/21/2005 6:44:42 AM R S 234272 C:\WINDOWS\SYSTEM32\ews.dll
WinShutDown 9/19/2005 7:31:30 PM R S 234272 C:\WINDOWS\SYSTEM32\glkrsrc.dll
ad-w-a-r-e.com 9/19/2005 7:31:30 PM R S 234272 C:\WINDOWS\SYSTEM32\glkrsrc.dll
WinShutDown 9/22/2005 9:38:24 AM R S 234272 C:\WINDOWS\SYSTEM32\hltplug.dll
ad-w-a-r-e.com 9/22/2005 9:38:24 AM R S 234272 C:\WINDOWS\SYSTEM32\hltplug.dll
WinShutDown 10/4/2005 9:54:18 AM R S 235212 C:\WINDOWS\SYSTEM32\hrl4053qe.dll
ad-w-a-r-e.com 10/4/2005 9:54:18 AM R S 235212 C:\WINDOWS\SYSTEM32\hrl4053qe.dll
WinShutDown 9/21/2005 4:20:50 PM R S 234272 C:\WINDOWS\SYSTEM32\hYshlib.dll
ad-w-a-r-e.com 9/21/2005 4:20:50 PM R S 234272 C:\WINDOWS\SYSTEM32\hYshlib.dll
WinShutDown 9/20/2005 1:32:30 AM R S 234272 C:\WINDOWS\SYSTEM32\iaetppui.dll
ad-w-a-r-e.com 9/20/2005 1:32:30 AM R S 234272 C:\WINDOWS\SYSTEM32\iaetppui.dll
WinShutDown 9/20/2005 5:34:42 PM R S 234272 C:\WINDOWS\SYSTEM32\idsso.dll
ad-w-a-r-e.com 9/20/2005 5:34:42 PM R S 234272 C:\WINDOWS\SYSTEM32\idsso.dll
WinShutDown 9/20/2005 4:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\ikfxdgps.dll
ad-w-a-r-e.com 9/20/2005 4:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\ikfxdgps.dll
WinShutDown 9/21/2005 7:52:44 AM R S 234272 C:\WINDOWS\SYSTEM32\irlogmsg.dll
ad-w-a-r-e.com 9/21/2005 7:52:44 AM R S 234272 C:\WINDOWS\SYSTEM32\irlogmsg.dll
WinShutDown 10/2/2005 5:09:12 PM R S 235212 C:\WINDOWS\SYSTEM32\IUX32d56.dll
ad-w-a-r-e.com 10/2/2005 5:09:12 PM R S 235212 C:\WINDOWS\SYSTEM32\IUX32d56.dll
WinShutDown 9/20/2005 11:13:40 AM R S 234272 C:\WINDOWS\SYSTEM32\kcd101a.dll
ad-w-a-r-e.com 9/20/2005 11:13:40 AM R S 234272 C:\WINDOWS\SYSTEM32\kcd101a.dll
WinShutDown 9/19/2005 6:22:38 PM R S 234272 C:\WINDOWS\SYSTEM32\kgdca.dll
ad-w-a-r-e.com 9/19/2005 6:22:38 PM R S 234272 C:\WINDOWS\SYSTEM32\kgdca.dll
WinShutDown 9/20/2005 8:39:38 AM R S 234272 C:\WINDOWS\SYSTEM32\kqdheb.dll
ad-w-a-r-e.com 9/20/2005 8:39:38 AM R S 234272 C:\WINDOWS\SYSTEM32\kqdheb.dll
WinShutDown 9/21/2005 4:18:42 AM R S 234272 C:\WINDOWS\SYSTEM32\kqduzb.dll
ad-w-a-r-e.com 9/21/2005 4:18:42 AM R S 234272 C:\WINDOWS\SYSTEM32\kqduzb.dll
WinShutDown 9/21/2005 5:28:50 PM R S 234272 C:\WINDOWS\SYSTEM32\kydcz2.dll
ad-w-a-r-e.com 9/21/2005 5:28:50 PM R S 234272 C:\WINDOWS\SYSTEM32\kydcz2.dll
WinShutDown 9/22/2005 12:36:52 AM R S 234272 C:\WINDOWS\SYSTEM32\kzdinguj.dll
ad-w-a-r-e.com 9/22/2005 12:36:52 AM R S 234272 C:\WINDOWS\SYSTEM32\kzdinguj.dll
WinShutDown 9/21/2005 8:53:44 AM R S 234272 C:\WINDOWS\SYSTEM32\lirhelp.dll
ad-w-a-r-e.com 9/21/2005 8:53:44 AM R S 234272 C:\WINDOWS\SYSTEM32\lirhelp.dll
WinShutDown 10/2/2005 4:26:58 PM 235741 C:\WINDOWS\SYSTEM32\lv2q09f5e.dll
ad-w-a-r-e.com 10/2/2005 4:26:58 PM 235741 C:\WINDOWS\SYSTEM32\lv2q09f5e.dll
WinShutDown 9/21/2005 8:43:50 PM R S 234272 C:\WINDOWS\SYSTEM32\MFPI.DLL
ad-w-a-r-e.com 9/21/2005 8:43:50 PM R S 234272 C:\WINDOWS\SYSTEM32\MFPI.DLL
WinShutDown 9/21/2005 2:52:42 AM R S 234272 C:\WINDOWS\SYSTEM32\mhfutil.dll
ad-w-a-r-e.com 9/21/2005 2:52:42 AM R S 234272 C:\WINDOWS\SYSTEM32\mhfutil.dll
WinShutDown 9/21/2005 1:25:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mjvcp50.dll
ad-w-a-r-e.com 9/21/2005 1:25:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mjvcp50.dll
WinShutDown 9/20/2005 1:48:38 PM R S 234272 C:\WINDOWS\SYSTEM32\mNg_hook.dll
ad-w-a-r-e.com 9/20/2005 1:48:38 PM R S 234272 C:\WINDOWS\SYSTEM32\mNg_hook.dll
WinShutDown 9/22/2005 8:14:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mprepl40.dll
ad-w-a-r-e.com 9/22/2005 8:14:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mprepl40.dll
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown 9/21/2005 7:36:50 PM R S 234272 C:\WINDOWS\SYSTEM32\mtasn1.dll
ad-w-a-r-e.com 9/21/2005 7:36:50 PM R S 234272 C:\WINDOWS\SYSTEM32\mtasn1.dll
WinShutDown 10/2/2005 5:02:58 PM R S 235212 C:\WINDOWS\SYSTEM32\mv48l9hu1.dll
ad-w-a-r-e.com 10/2/2005 5:02:58 PM R S 235212 C:\WINDOWS\SYSTEM32\mv48l9hu1.dll
WinShutDown 9/22/2005 1:52:52 AM R S 234272 C:\WINDOWS\SYSTEM32\nwmsdba.dll
ad-w-a-r-e.com 9/22/2005 1:52:52 AM R S 234272 C:\WINDOWS\SYSTEM32\nwmsdba.dll
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
WinShutDown 10/2/2005 5:45:40 PM R S 235212 C:\WINDOWS\SYSTEM32\pzrfdisk.dll
ad-w-a-r-e.com 10/2/2005 5:45:40 PM R S 235212 C:\WINDOWS\SYSTEM32\pzrfdisk.dll
Umonitor 8/29/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 9/20/2005 4:09:34 AM R S 234272 C:\WINDOWS\SYSTEM32\rLsauto.dll
ad-w-a-r-e.com 9/20/2005 4:09:34 AM R S 234272 C:\WINDOWS\SYSTEM32\rLsauto.dll
WinShutDown 9/19/2005 8:59:28 PM R S 234272 C:\WINDOWS\SYSTEM32\rSsman.dll
ad-w-a-r-e.com 9/19/2005 8:59:28 PM R S 234272 C:\WINDOWS\SYSTEM32\rSsman.dll
WinShutDown 9/22/2005 3:19:54 AM R S 234272 C:\WINDOWS\SYSTEM32\rUsauto.dll
ad-w-a-r-e.com 9/22/2005 3:19:54 AM R S 234272 C:\WINDOWS\SYSTEM32\rUsauto.dll
WinShutDown 9/20/2005 12:31:40 PM R S 234272 C:\WINDOWS\SYSTEM32\RYCRES.dll
ad-w-a-r-e.com 9/20/2005 12:31:40 PM R S 234272 C:\WINDOWS\SYSTEM32\RYCRES.dll
WinShutDown 9/19/2005 10:05:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sai.dll
ad-w-a-r-e.com 9/19/2005 10:05:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sai.dll
WinShutDown 9/22/2005 7:08:36 AM R S 234272 C:\WINDOWS\SYSTEM32\SALSRV32.dll
ad-w-a-r-e.com 9/22/2005 7:08:36 AM R S 234272 C:\WINDOWS\SYSTEM32\SALSRV32.dll
WinShutDown 9/21/2005 3:17:50 PM R S 234272 C:\WINDOWS\SYSTEM32\sgftpub.dll
ad-w-a-r-e.com 9/21/2005 3:17:50 PM R S 234272 C:\WINDOWS\SYSTEM32\sgftpub.dll
WinShutDown 9/19/2005 2:39:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sje.dll
ad-w-a-r-e.com 9/19/2005 2:39:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sje.dll
WinShutDown 9/20/2005 9:44:38 AM R S 234272 C:\WINDOWS\SYSTEM32\smell32.dll
ad-w-a-r-e.com 9/20/2005 9:44:38 AM R S 234272 C:\WINDOWS\SYSTEM32\smell32.dll
WinShutDown 10/2/2005 4:26:58 PM R S 235212 C:\WINDOWS\SYSTEM32\sqrwvdrv.dll
ad-w-a-r-e.com 10/2/2005 4:26:58 PM R S 235212 C:\WINDOWS\SYSTEM32\sqrwvdrv.dll
WinShutDown 9/21/2005 10:05:52 PM R S 234272 C:\WINDOWS\SYSTEM32\SXLFREG.DLL
ad-w-a-r-e.com 9/21/2005 10:05:52 PM R S 234272 C:\WINDOWS\SYSTEM32\SXLFREG.DLL
WinShutDown 9/20/2005 6:59:40 PM R S 234272 C:\WINDOWS\SYSTEM32\tfemeui.dll
ad-w-a-r-e.com 9/20/2005 6:59:40 PM R S 234272 C:\WINDOWS\SYSTEM32\tfemeui.dll
WinShutDown 9/21/2005 12:50:56 PM R S 234272 C:\WINDOWS\SYSTEM32\uyrvoica.dll
ad-w-a-r-e.com 9/21/2005 12:50:56 PM R S 234272 C:\WINDOWS\SYSTEM32\uyrvoica.dll
WinShutDown 9/21/2005 11:07:50 PM R S 234272 C:\WINDOWS\SYSTEM32\wahext.dll
ad-w-a-r-e.com 9/21/2005 11:07:50 PM R S 234272 C:\WINDOWS\SYSTEM32\wahext.dll
WinShutDown 9/20/2005 6:28:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wbadss.dll
ad-w-a-r-e.com 9/20/2005 6:28:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wbadss.dll
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown 9/20/2005 10:40:40 PM R S 234272 C:\WINDOWS\SYSTEM32\wii.dll
ad-w-a-r-e.com 9/20/2005 10:40:40 PM R S 234272 C:\WINDOWS\SYSTEM32\wii.dll
WinShutDown 9/20/2005 2:55:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wrdsp.dll
ad-w-a-r-e.com 9/20/2005 2:55:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wrdsp.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/5/2005 6:17:30 PM S 2048 C:\WINDOWS\bootstat.dat
10/4/2005 9:57:08 AM H 54156 C:\WINDOWS\QTFont.qfn
9/20/2005 9:21:40 PM R S 234272 C:\WINDOWS\system32\afi2dvaa.dll
9/21/2005 6:33:50 PM R S 234272 C:\WINDOWS\system32\ajstream.dll
9/20/2005 8:00:40 PM R S 234272 C:\WINDOWS\system32\amfsipc.dll
9/20/2005 7:31:38 AM R S 234272 C:\WINDOWS\system32\ATPXEC32.DLL
9/20/2005 5:23:34 AM R S 234272 C:\WINDOWS\system32\ayvapi32.dll
9/22/2005 5:57:16 AM R S 234272 C:\WINDOWS\system32\azctres.dll
9/20/2005 2:58:40 PM R S 234272 C:\WINDOWS\system32\cbfgnt.dll
9/19/2005 11:16:30 PM R S 234272 C:\WINDOWS\system32\chutil.dll
9/22/2005 4:43:18 AM R S 234272 C:\WINDOWS\system32\CKMMTB32.DLL
9/19/2005 3:59:24 PM R S 234272 C:\WINDOWS\system32\cnlbact.dll
9/20/2005 12:22:30 AM R S 234272 C:\WINDOWS\system32\cpcui.dll
9/21/2005 5:30:42 AM R S 234272 C:\WINDOWS\system32\crmcat.dll
9/21/2005 2:12:50 PM R S 234272 C:\WINDOWS\system32\cTis2022.dll
9/22/2005 11:05:24 AM R S 234272 C:\WINDOWS\system32\cZpesnpn.dll
9/21/2005 10:11:48 AM R S 234272 C:\WINDOWS\system32\dcnet.dll
9/21/2005 11:32:46 AM R S 234272 C:\WINDOWS\system32\dktrans.dll
9/21/2005 12:09:42 AM R S 234272 C:\WINDOWS\system32\dyvenum.dll
9/21/2005 6:44:42 AM R S 234272 C:\WINDOWS\system32\ews.dll
10/4/2005 9:58:46 AM H 23799 C:\WINDOWS\system32\FFASTLOG.TXT
9/19/2005 7:31:30 PM R S 234272 C:\WINDOWS\system32\glkrsrc.dll
10/2/2005 6:06:52 PM R S 233724 C:\WINDOWS\system32\h60qlgd5160.dll
9/22/2005 9:38:24 AM R S 234272 C:\WINDOWS\system32\hltplug.dll
10/4/2005 9:54:18 AM R S 235212 C:\WINDOWS\system32\hrl4053qe.dll
9/21/2005 4:20:50 PM R S 234272 C:\WINDOWS\system32\hYshlib.dll
9/20/2005 1:32:30 AM R S 234272 C:\WINDOWS\system32\iaetppui.dll
9/20/2005 5:34:42 PM R S 234272 C:\WINDOWS\system32\idsso.dll
9/20/2005 4:21:40 PM R S 234272 C:\WINDOWS\system32\ikfxdgps.dll
10/5/2005 6:17:56 PM R S 233724 C:\WINDOWS\system32\ilcvid.dll
9/21/2005 7:52:44 AM R S 234272 C:\WINDOWS\system32\irlogmsg.dll
10/2/2005 5:09:12 PM R S 235212 C:\WINDOWS\system32\IUX32d56.dll
9/20/2005 11:13:40 AM R S 234272 C:\WINDOWS\system32\kcd101a.dll
9/19/2005 6:22:38 PM R S 234272 C:\WINDOWS\system32\kgdca.dll
9/20/2005 8:39:38 AM R S 234272 C:\WINDOWS\system32\kqdheb.dll
9/21/2005 4:18:42 AM R S 234272 C:\WINDOWS\system32\kqduzb.dll
9/21/2005 5:28:50 PM R S 234272 C:\WINDOWS\system32\kydcz2.dll
9/22/2005 12:36:52 AM R S 234272 C:\WINDOWS\system32\kzdinguj.dll
9/21/2005 8:53:44 AM R S 234272 C:\WINDOWS\system32\lirhelp.dll
9/21/2005 8:43:50 PM R S 234272 C:\WINDOWS\system32\MFPI.DLL
9/21/2005 2:52:42 AM R S 234272 C:\WINDOWS\system32\mhfutil.dll
9/21/2005 1:25:40 AM R S 234272 C:\WINDOWS\system32\mjvcp50.dll
9/20/2005 1:48:38 PM R S 234272 C:\WINDOWS\system32\mNg_hook.dll
9/22/2005 8:14:40 AM R S 234272 C:\WINDOWS\system32\mprepl40.dll
9/21/2005 7:36:50 PM R S 234272 C:\WINDOWS\system32\mtasn1.dll
10/2/2005 5:02:58 PM R S 235212 C:\WINDOWS\system32\mv48l9hu1.dll
9/22/2005 1:52:52 AM R S 234272 C:\WINDOWS\system32\nwmsdba.dll
10/4/2005 9:57:00 AM R S 233724 C:\WINDOWS\system32\p0r40a9qed.dll
10/2/2005 5:45:40 PM R S 235212 C:\WINDOWS\system32\pzrfdisk.dll
9/20/2005 4:09:34 AM R S 234272 C:\WINDOWS\system32\rLsauto.dll
9/19/2005 8:59:28 PM R S 234272 C:\WINDOWS\system32\rSsman.dll
9/22/2005 3:19:54 AM R S 234272 C:\WINDOWS\system32\rUsauto.dll
9/20/2005 12:31:40 PM R S 234272 C:\WINDOWS\system32\RYCRES.dll
9/19/2005 10:05:28 PM R S 234272 C:\WINDOWS\system32\sai.dll
9/22/2005 7:08:36 AM R S 234272 C:\WINDOWS\system32\SALSRV32.dll
9/21/2005 3:17:50 PM R S 234272 C:\WINDOWS\system32\sgftpub.dll
9/19/2005 2:39:28 PM R S 234272 C:\WINDOWS\system32\sje.dll
9/20/2005 9:44:38 AM R S 234272 C:\WINDOWS\system32\smell32.dll
10/2/2005 4:26:58 PM R S 235212 C:\WINDOWS\system32\sqrwvdrv.dll
9/21/2005 10:05:52 PM R S 234272 C:\WINDOWS\system32\SXLFREG.DLL
9/20/2005 6:59:40 PM R S 234272 C:\WINDOWS\system32\tfemeui.dll
9/21/2005 12:50:56 PM R S 234272 C:\WINDOWS\system32\uyrvoica.dll
9/21/2005 11:07:50 PM R S 234272 C:\WINDOWS\system32\wahext.dll
9/20/2005 6:28:34 AM R S 234272 C:\WINDOWS\system32\wbadss.dll
9/20/2005 10:40:40 PM R S 234272 C:\WINDOWS\system32\wii.dll
9/20/2005 2:55:34 AM R S 234272 C:\WINDOWS\system32\wrdsp.dll
10/5/2005 6:17:56 PM H 24576 C:\WINDOWS\system32\config\default.LOG
10/5/2005 6:17:52 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/5/2005 6:17:32 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/5/2005 6:20:54 PM H 53248 C:\WINDOWS\system32\config\software.LOG
10/5/2005 6:17:38 PM H 880640 C:\WINDOWS\system32\config\system.LOG
10/2/2005 3:26:32 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8Z6FGF8P\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLAVO12R\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TODNSRFF\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X9KHAZ27\desktop.ini
10/4/2005 9:55:48 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 10/12/2001 10:30:50 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/11/1997 53520 C:\WINDOWS\SYSTEM32\MLCFG32.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 12:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Sun Microsystems 3/4/2002 4:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 3/25/2003 9:06:28 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

����������������� Checking Selected Startup Folders ���������������������

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/19/2005 1:26:08 PM 1797 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/26/2003 9:22:34 AM 801 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

����������������� Checking Selected Registry Keys �����������������������
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{6192E451-AA25-434C-84B6-5D36583D1DED} = C:\WINDOWS\system32\svrio800.dll
{3E50A167-6BBE-476C-AC57-3593AAC58F55} = C:\WINDOWS\system32\guard.tmp
{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6} = C:\WINDOWS\system32\sqrwvdrv.dll
{69EBB12A-4ED2-4D54-9275-210814C69C9A} = C:\WINDOWS\system32\ilcvid.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\System32\WEBCHECK.DLL
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


������������������������ Scan Complete ����������������������������������
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/5/2005 6:41:41 PM



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


from Ewido

[xme@whip xme]$ cat Scan\ report_20051005.txt.txt
��---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:30:30 PM, 10/5/2005
+ Report-Checksum: 43E0A738

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}\TypeLib\\ -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
[604] C:\WINDOWS\system32\ilcvid.dll -> Spyware.Look2Me : Error during cleaning
[720] C:\WINDOWS\system32\ilcvid.dll -> Spyware.Look2Me : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\9F8E2666-264D-4F6B-916E-3854EE -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4E30B5F4-F6F7-4984-B985-BF9A62\611DF91E-7EBA-4385-8CEE-A2AF3E -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4E30B5F4-F6F7-4984-B985-BF9A62\D1D16769-DAF4-49D7-8C10-E0FF6A -> Spyware.VirtualBouncer : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4E30B5F4-F6F7-4984-B985-BF9A62\F64D508B-E797-40C4-96EF-97BFF8 -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\afi2dvaa.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ajstream.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\amfsipc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ATPXEC32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ayvapi32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\azctres.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cbfgnt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\chutil.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\CKMMTB32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cnlbact.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cpcui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\crmcat.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cTis2022.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cZpesnpn.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dcnet.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dktrans.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dyvenum.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ews.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\glkrsrc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hltplug.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hrl4053qe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hYshlib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\iaetppui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\idsso.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ikfxdgps.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\irlogmsg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\IUX32d56.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kcd101a.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kgdca.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kqdheb.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kqduzb.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kydcz2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kzdinguj.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lirhelp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lv2q09f5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\MFPI.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mhfutil.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mjvcp50.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mNg_hook.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mprepl40.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mtasn1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mv48l9hu1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\nwmsdba.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\pzrfdisk.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rLsauto.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rSsman.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rUsauto.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\RYCRES.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sai.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\SALSRV32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sgftpub.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sje.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\smell32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\sqrwvdrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\SXLFREG.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\tfemeui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\uyrvoica.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wahext.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wbadss.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wii.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\wrdsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\temp\bw2.com -> TrojanDropper.Agent.pb : Cleaned with backup


::Report End[xme@whip xme]$


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Report not available from the Panda Active Scan as the system hung up totally while scanning

C:\WINDOWS\system32\guard.tmp

( Big surprise there ! )

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Finally HijackThis log

[xme@whip xme]$ cat hijackthis.051005.log
Logfile of HijackThis v1.99.1
Scan saved at 8:28:47 PM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ZipToA.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
F:\active\common\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095293862129
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe



I am beginnig to feel we have a long process ahead :tazz:
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Very perceptive you are indeed,this is the Look2me infection and can prove to be quite the bugger to get rid of but we will get there,just bare with me!

Download the l2mfix from
http://www.atribune....oads/l2mfix.exe
or
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!
  • 0

#5
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'm glad there seems to be no size limit on messages :tazz:

from l2mfix:
=-=-=-==-=-=-=-=-=-=-=
L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A5D799F6-CF78-E715-6DEA-852DE01C24EA}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Property Sheet Shell Extension"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{04466240-beb3-11d1-be1c-00aa006b77f4}"="WebDrive Shell Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{6192E451-AA25-434C-84B6-5D36583D1DED}"=""
"{3E50A167-6BBE-476C-AC57-3593AAC58F55}"=""
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}"=""
"{69EBB12A-4ED2-4D54-9275-210814C69C9A}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6192E451-AA25-434C-84B6-5D36583D1DED}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6192E451-AA25-434C-84B6-5D36583D1DED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6192E451-AA25-434C-84B6-5D36583D1DED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6192E451-AA25-434C-84B6-5D36583D1DED}\InprocServer32]
@="C:\\WINDOWS\\system32\\IYETAB32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3E50A167-6BBE-476C-AC57-3593AAC58F55}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E50A167-6BBE-476C-AC57-3593AAC58F55}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E50A167-6BBE-476C-AC57-3593AAC58F55}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3E50A167-6BBE-476C-AC57-3593AAC58F55}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}\InprocServer32]
@="C:\\WINDOWS\\system32\\sqrwvdrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69EBB12A-4ED2-4D54-9275-210814C69C9A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69EBB12A-4ED2-4D54-9275-210814C69C9A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69EBB12A-4ED2-4D54-9275-210814C69C9A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69EBB12A-4ED2-4D54-9275-210814C69C9A}\InprocServer32]
@="C:\\WINDOWS\\system32\\ilcvid.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
ilcvid.dll Wed Oct 5 2005 6:17:56p ..S.R 233,724 228.25 K
ir2ml5~1.dll Wed Oct 5 2005 7:32:56p ..S.R 233,724 228.25 K
iyetab32.dll Wed Oct 5 2005 8:23:52p ..... 233,724 228.25 K
k6440g~1.dll Wed Oct 5 2005 7:36:20p ..S.R 233,724 228.25 K
p0r40a~1.dll Tue Oct 4 2005 9:57:00a ..S.R 233,724 228.25 K

8 items found: 8 files (4 H/S), 0 directories.
Total of file sizes: 1,508,724 bytes 1.44 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
103.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
104.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
105.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
106.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
107.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
108.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
109.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
10a.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
10b.tmp Wed Oct 5 2005 8:19:04p A.... 233,724 228.25 K
10c.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
10d.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
10e.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
10f.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
110.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
111.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
112.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
113.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
114.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
115.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
116.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
117.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
118.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
119.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
11a.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
11b.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
11c.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
11d.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
11e.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
11f.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
120.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
121.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
122.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
123.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
124.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
125.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
126.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
127.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
128.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
129.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
12a.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
12b.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
12c.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
12d.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
12e.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
12f.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
130.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
131.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
132.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
133.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
134.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
135.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
136.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
137.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
138.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
139.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
13a.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
13b.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
13c.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
13d.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
13e.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
13f.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
140.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
141.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
142.tmp Wed Oct 5 2005 8:19:06p A.... 233,724 228.25 K
143.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
144.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
145.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
146.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
147.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
148.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
149.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
14a.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
14b.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
14c.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
14d.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
14e.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
14f.tmp Wed Oct 5 2005 8:19:08p A.... 233,724 228.25 K
150.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
151.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
152.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
153.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
154.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
155.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
156.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
157.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
158.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
159.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
15a.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
15b.tmp Wed Oct 5 2005 8:19:10p A.... 233,724 228.25 K
15c.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
15d.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
15e.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
15f.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
160.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
161.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
162.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
163.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
164.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
165.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
166.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
167.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
168.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
169.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
16a.tmp Wed Oct 5 2005 8:19:12p A.... 233,724 228.25 K
16b.tmp Wed Oct 5 2005 8:19:14p A.... 233,724 228.25 K
16c.tmp Wed Oct 5 2005 8:19:14p A.... 233,724 228.25 K
16d.tmp Wed Oct 5 2005 8:19:14p A.... 233,724 228.25 K
16e.tmp Wed Oct 5 2005 8:19:14p A.... 233,724 228.25 K
16f.tmp Wed Oct 5 2005 8:19:14p A.... 233,724 228.25 K

*******
continues in sequence
*******

650.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
651.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
652.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
653.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
654.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
655.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
656.tmp Wed Oct 5 2005 8:22:30p A.... 233,724 228.25 K
657.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
658.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
659.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
65a.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
65b.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
65c.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
65d.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
65e.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
65f.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
660.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
661.tmp Wed Oct 5 2005 8:22:32p A.... 233,724 228.25 K
662.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
663.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
664.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
665.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
666.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
667.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
668.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
669.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
66a.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
66b.tmp Wed Oct 5 2005 8:22:34p A.... 233,724 228.25 K
66c.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
66d.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
66e.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
66f.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
670.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
671.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
672.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
673.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
674.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
675.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
676.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
677.tmp Wed Oct 5 2005 8:22:36p A.... 233,724 228.25 K
678.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
679.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
67a.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
67b.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
67c.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
67d.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
67e.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
67f.tmp Wed Oct 5 2005 8:22:38p A.... 233,724 228.25 K
680.tmp Wed Oct 5 2005 8:22:38p A.... 512 0.50 K
guard.tmp Wed Oct 5 2005 8:26:52p ..S.R 233,724 228.25 K

1,407 items found: 1,407 files (1 H/S), 0 directories.
Total of file sizes: 328,616,456 bytes 313.39 M
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8857-A63C

Directory of C:\WINDOWS\System32

10/05/2005 08:26 PM 233,724 guard.tmp
10/05/2005 07:36 PM 233,724 k6440ghqe64e0.dll
10/05/2005 07:32 PM 233,724 ir2ml5f11.dll
10/05/2005 06:17 PM 233,724 ilcvid.dll
10/04/2005 09:56 AM 233,724 p0r40a9qed.dll
07/02/2005 02:06 PM <DIR> dllcache
04/12/2003 09:45 AM <DIR> Microsoft
5 File(s) 1,168,620 bytes
2 Dir(s) 34,373,349,376 bytes free

Edited by LeatherCat, 06 October 2005 - 01:44 PM.

  • 0

#6
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
My guess that the abreviated length of the 680.tmp file is because that's when I hit the 120volt interrupt during the Panda virus scan
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer.

After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.

Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.


Once those steps are done-> Run the l2mfix again and select Option 4 to restore the registry keys that l2m fubared!

Post the logs from Option 2 and 4 along with a fresh HijackThis log!
  • 0

#8
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Next in the series:

from l2mfix.log

=-=-=-=-=-=-=-=

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1820 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1896 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ilcvid.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ir2ml5f11.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k6440ghqe64e0.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\103.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\104.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\105.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\106.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\107.tmp

****
continues in sequence
****

Backing Up: C:\WINDOWS\system32\640.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\641.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\642.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\643.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\644.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\645.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\646.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\647.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\648.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\649.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\64A.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\ilcvid.dll
Successfully Deleted: C:\WINDOWS\system32\ilcvid.dll
deleting: C:\WINDOWS\system32\ir2ml5f11.dll
Successfully Deleted: C:\WINDOWS\system32\ir2ml5f11.dll
deleting: C:\WINDOWS\system32\k6440ghqe64e0.dll
Successfully Deleted: C:\WINDOWS\system32\k6440ghqe64e0.dll
deleting: C:\WINDOWS\system32\103.tmp
Successfully Deleted: C:\WINDOWS\system32\103.tmp
deleting: C:\WINDOWS\system32\104.tmp
Successfully Deleted: C:\WINDOWS\system32\104.tmp
deleting: C:\WINDOWS\system32\105.tmp
Successfully Deleted: C:\WINDOWS\system32\105.tmp
deleting: C:\WINDOWS\system32\106.tmp
Successfully Deleted: C:\WINDOWS\system32\106.tmp
deleting: C:\WINDOWS\system32\107.tmp
Successfully Deleted: C:\WINDOWS\system32\107.tmp
deleting: C:\WINDOWS\system32\108.tmp
Successfully Deleted: C:\WINDOWS\system32\108.tmp
deleting: C:\WINDOWS\system32\109.tmp
Successfully Deleted: C:\WINDOWS\system32\109.tmp
deleting: C:\WINDOWS\system32\10A.tmp
Successfully Deleted: C:\WINDOWS\system32\10A.tmp


****
continues in sequence
****

deleting: C:\WINDOWS\system32\640.tmp
Successfully Deleted: C:\WINDOWS\system32\640.tmp
deleting: C:\WINDOWS\system32\641.tmp
Successfully Deleted: C:\WINDOWS\system32\641.tmp
deleting: C:\WINDOWS\system32\642.tmp
Successfully Deleted: C:\WINDOWS\system32\642.tmp
deleting: C:\WINDOWS\system32\643.tmp
Successfully Deleted: C:\WINDOWS\system32\643.tmp
deleting: C:\WINDOWS\system32\644.tmp
Successfully Deleted: C:\WINDOWS\system32\644.tmp
deleting: C:\WINDOWS\system32\645.tmp
Successfully Deleted: C:\WINDOWS\system32\645.tmp
deleting: C:\WINDOWS\system32\646.tmp
Successfully Deleted: C:\WINDOWS\system32\646.tmp
deleting: C:\WINDOWS\system32\647.tmp
Successfully Deleted: C:\WINDOWS\system32\647.tmp
deleting: C:\WINDOWS\system32\648.tmp
Successfully Deleted: C:\WINDOWS\system32\648.tmp
deleting: C:\WINDOWS\system32\649.tmp
Successfully Deleted: C:\WINDOWS\system32\649.tmp
deleting: C:\WINDOWS\system32\64A.tmp
Successfully Deleted: C:\WINDOWS\system32\64A.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: ilcvid.dll (208 bytes security) (deflated 4%)
adding: ir2ml5f11.dll (208 bytes security) (deflated 4%)
adding: k6440ghqe64e0.dll (208 bytes security) (deflated 4%)
adding: 103.tmp (208 bytes security) (deflated 4%)
adding: 104.tmp (208 bytes security) (deflated 4%)
adding: 105.tmp (208 bytes security) (deflated 4%)
adding: 106.tmp (208 bytes security) (deflated 4%)
adding: 107.tmp (208 bytes security) (deflated 4%)
adding: 108.tmp (208 bytes security) (deflated 4%)
adding: 109.tmp (208 bytes security) (deflated 4%)
adding: 10A.tmp (208 bytes security) (deflated 4%)
adding: 10B.tmp (208 bytes security) (deflated 4%)
adding: 10C.tmp (208 bytes security) (deflated 4%)
adding: 10D.tmp (208 bytes security) (deflated 4%)
adding: 10E.tmp (208 bytes security) (deflated 4%)
adding: 10F.tmp (208 bytes security) (deflated 4%)

****
continues in sequence
****

adding: 640.tmp (208 bytes security) (deflated 4%)
adding: 641.tmp (208 bytes security) (deflated 4%)
adding: 642.tmp (208 bytes security) (deflated 4%)
adding: 643.tmp (208 bytes security) (deflated 4%)
adding: 644.tmp (208 bytes security) (deflated 4%)
adding: 645.tmp (208 bytes security) (deflated 4%)
adding: 646.tmp (208 bytes security) (deflated 4%)
adding: 647.tmp (208 bytes security) (deflated 4%)
adding: 648.tmp (208 bytes security) (deflated 4%)
adding: 649.tmp (208 bytes security) (deflated 4%)
adding: 64A.tmp (208 bytes security) (deflated 4%)
adding: guard.tmp (208 bytes security) (deflated 4%)
adding: clear.reg (208 bytes security) (deflated 52%)
adding: Import.txt (208 bytes security) (deflated 78%)
adding: lo2.txt (208 bytes security) (deflated 95%)
adding: MDacLog.txt (208 bytes security) (deflated 94%)
adding: test.txt (208 bytes security) (deflated 94%)
adding: test2.txt (208 bytes security) (deflated 33%)
adding: test3.txt (208 bytes security) (deflated 33%)
adding: test5.txt (208 bytes security) (deflated 33%)
adding: xfind.txt (208 bytes security) (deflated 92%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: ilcvid.dll
deleting local copy: ir2ml5f11.dll
deleting local copy: k6440ghqe64e0.dll
deleting local copy: 103.tmp
deleting local copy: 104.tmp
deleting local copy: 105.tmp
deleting local copy: 106.tmp
deleting local copy: 107.tmp
deleting local copy: 108.tmp
deleting local copy: 109.tmp
deleting local copy: 10A.tmp
deleting local copy: 10B.tmp
deleting local copy: 10C.tmp
deleting local copy: 10D.tmp
deleting local copy: 10E.tmp
deleting local copy: 10F.tmp

****
continues in sequence
****

deleting local copy: 640.tmp
deleting local copy: 641.tmp
deleting local copy: 642.tmp
deleting local copy: 643.tmp
deleting local copy: 644.tmp
deleting local copy: 645.tmp
deleting local copy: 646.tmp
deleting local copy: 647.tmp
deleting local copy: 648.tmp
deleting local copy: 649.tmp
deleting local copy: 64A.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ilcvid.dll
C:\WINDOWS\system32\ir2ml5f11.dll
C:\WINDOWS\system32\k6440ghqe64e0.dll
C:\WINDOWS\system32\103.tmp
C:\WINDOWS\system32\104.tmp
C:\WINDOWS\system32\105.tmp
C:\WINDOWS\system32\106.tmp
C:\WINDOWS\system32\107.tmp
C:\WINDOWS\system32\108.tmp
C:\WINDOWS\system32\109.tmp
C:\WINDOWS\system32\10A.tmp
C:\WINDOWS\system32\10B.tmp
C:\WINDOWS\system32\10C.tmp
C:\WINDOWS\system32\10D.tmp
C:\WINDOWS\system32\10E.tmp
C:\WINDOWS\system32\10F.tmp

****
continues in sequence
****

C:\WINDOWS\system32\640.tmp
C:\WINDOWS\system32\641.tmp
C:\WINDOWS\system32\642.tmp
C:\WINDOWS\system32\643.tmp
C:\WINDOWS\system32\644.tmp
C:\WINDOWS\system32\645.tmp
C:\WINDOWS\system32\646.tmp
C:\WINDOWS\system32\647.tmp
C:\WINDOWS\system32\648.tmp
C:\WINDOWS\system32\649.tmp
C:\WINDOWS\system32\64A.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6192E451-AA25-434C-84B6-5D36583D1DED}"=-
"{3E50A167-6BBE-476C-AC57-3593AAC58F55}"=-
"{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}"=-
"{69EBB12A-4ED2-4D54-9275-210814C69C9A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6192E451-AA25-434C-84B6-5D36583D1DED}]
[-HKEY_CLASSES_ROOT\CLSID\{3E50A167-6BBE-476C-AC57-3593AAC58F55}]
[-HKEY_CLASSES_ROOT\CLSID\{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6}]
[-HKEY_CLASSES_ROOT\CLSID\{69EBB12A-4ED2-4D54-9275-210814C69C9A}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


=-=-=-=-=-=-=-=-=-=

from HijackThis:

=-=-=-=-=-=-=-=-=-=

Logfile of HijackThis v1.99.1
Scan saved at 7:04:08 PM, on 10/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\explorer.exe
F:\active\common\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095293862129
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe


=-=-=-=-=-=-=-=-=-=

from l2mfix restore:

=-=-=-=-=-=-=-=-=-=

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Warning (option /rga:(ci)) - There is no ACE to remove!


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM

=-=-=-=-=-=-=-=
  • 0

#9
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Im not so sure that Option actually took,we will see in the next post!


Make sure Ewido is updated with the latest definitions so we can use it in safe mode again!


Download and Install
CleanUp!
Dont use it yet!


Reboot into SAFE MODE(Tap F8 when restarting)


Once in Safe Mode-> Run the CleanUp program-> Click the Cleanup tab and allow it to remove whatever temporary files it finds-> Once completed-> Click "Close"-> Click "NO" to Log off!


Make sure all Windows and Browsers are Closed and Scan the entire System with Ewido-> Clean all it finds and be sure to click the tab to Save a Report!


Still in Safe Mode-> Scan the PC with WinPFind again!


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post back with a fresh HijackThis log and the reports from WinPFind-> Ewido and Kaspersky!
  • 0

#10
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
A quick question if I may. The XP box on which we are currently working is networked to a number of other machines running Win95, Win98SE, XP-Professional, and Linux. Although I've not seen any evidence so far, I'm worried this bug MAY have hooks in the other Microsoft based boxes. I hope this is a groundless fear, but you know more about these "nasties" than I do. Please advise.

I hope this round gets it all :) Have been running all day and no pop-ups yet. Machine is much faster too. BTW the 14 day trial for Ewido ran out a week ago, so we are running 8 day old files.

Ran cleanup - no problems

A very short while into the Ewido scan I realized it was finding all the 1400+ files we cleaned off and zipped yesterday. Killed the scan deleted the file C:\backup.zip and ran Ewido again. Here is the result:

=-=-=-=-=-=-=-=-=

˙ž- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o s e c u r i t y s u i t e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d o n : 7 : 2 5 : 0 2 P M , 1 0 / 7 / 2 0 0 5

+ R e p o r t - C h e c k s u m : 1 4 3 F F 6 1 F



+ S c a n r e s u l t :



: m o z i l l a . 1 0 : C : \ D o c u m e n t s a n d S e t t i n g s \ P O S \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ q c z 8 u c g u . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . L i v e p e r s o n : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 1 : C : \ D o c u m e n t s a n d S e t t i n g s \ P O S \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ q c z 8 u c g u . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . L i v e p e r s o n : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 2 : C : \ D o c u m e n t s a n d S e t t i n g s \ P O S \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ q c z 8 u c g u . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . L i v e p e r s o n : C l e a n e d w i t h b a c k u p

: m o z i l l a . 1 3 : C : \ D o c u m e n t s a n d S e t t i n g s \ P O S \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ q c z 8 u c g u . d e f a u l t \ c o o k i e s . t x t - > S p y w a r e . C o o k i e . L i v e p e r s o n : C l e a n e d w i t h b a c k u p





: : R e p o r t E n d


=-=-=-=-=-=-=-=-=

from WinPFind:
Should I be concerned that the "*.817" files in the "C:\WINDOWS\" directory are all exactly the same size?

=-=-=-=-=-=-=-=-=

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
aspack 10/18/2004 8:47:48 AM 5587526 C:\msbb_kyf.dat

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
qoologic 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
SAHAgent 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
qoologic 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
SAHAgent 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/29/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/20/2005 1:47:50 PM 175616 C:\WINDOWS\SYSTEM32\strings.exe
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/7/2005 6:28:38 PM S 2048 C:\WINDOWS\bootstat.dat
10/5/2005 8:24:48 PM H 54156 C:\WINDOWS\QTFont.qfn
10/5/2005 8:25:10 PM H 23865 C:\WINDOWS\system32\FFASTLOG.TXT
10/7/2005 6:29:02 PM H 1024 C:\WINDOWS\system32\config\default.LOG
10/7/2005 6:28:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/7/2005 6:29:02 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/7/2005 6:37:58 PM H 69632 C:\WINDOWS\system32\config\software.LOG
10/7/2005 6:35:14 PM H 53248 C:\WINDOWS\system32\config\system.LOG
10/2/2005 3:26:32 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8Z6FGF8P\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLAVO12R\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TODNSRFF\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X9KHAZ27\desktop.ini
10/7/2005 6:24:44 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 10/12/2001 10:30:50 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/11/1997 53520 C:\WINDOWS\SYSTEM32\MLCFG32.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 12:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Sun Microsystems 3/4/2002 4:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 3/25/2003 9:06:28 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/19/2005 1:26:08 PM 1797 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/26/2003 9:22:34 AM 801 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\System32\WEBCHECK.DLL
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/7/2005 7:35:04 PM


=-=-=-=-=-=-=-=-=

On re-boot AVG automatically ran a complete system scan and I let it run. It hasn't ever found anything before so a bit of a surprise when up pop a number of virus occurences. I guess they were hidden behind Look2Me.

Here is the result: -- Wouldn't let me save the scan in a text file :tazz: but all were located in the file "C:\Program Files\Internet Explorer\vuklhijk.exe" and could not be cleaned by AVG.

=-=-=-=-=-=-=-=-=

On to the next scan - From the Kaspersky On-line scan (sorry - Thought I'd asked for text instead of the html)

=-=-=-=-=-=-=-=-=

<html>
<head>
<title>KASPERSKY ON-LINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ON-LINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Friday, October 07, 2005 22:01:41<br>
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)<br>
Kaspersky On-line Scanner version: 5.0.67.0<br>
Kaspersky Anti-Virus database last update: 8/10/2005<br>
Kaspersky Anti-Virus database records: 152903<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\<br>
F:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>33903</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>9</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>32</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>3849 sec</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='300'><b>Virus Name</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/text </td>
<td>Infected: Email-Worm.Win32.Mimail.txt </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip/message.html </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/ntcomm.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.HideWindows </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/cabsys.exe </td>
<td>Infected: not-a-virus:Client-IRC.Win32.mIRC.582 </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/log.exe </td>
<td>Infected: Backdoor.IRC.Ataka.i </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/sox.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.bcs </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/cgcab.dll </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/dscab.dll </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/fpcab.dll </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/iscab.dll </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/sncab.dll </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/unicodbag.txt </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/vrcab.dll </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe/drx2.inf </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Internet Explorer\vuklhijk.exe </td>
<td>Infected: Backdoor.IRC.Ataka.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93 </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6 </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe/xpkey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe/officekey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe/xpkey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe/officekey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='2' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>

=-=-=-=-=-=-=-=-=

Finally the Hijack log

=-=-=-=-=-=-=-=-=

Logfile of HijackThis v1.99.1
Scan saved at 10:07:30 PM, on 10/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ZipToA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
F:\active\common\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-a.../ipix/ipixx.cab
O16 - DPF: {3B2E9991-0C57-426F-A5E4-784C7A5C6420} (Datasheet control) - http://alldatasheet.com/Datasheet.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095293862129
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1466F5-E737-4BB0-967A-3CD7A494DF27}: NameServer = 192.168.1.30,207.102.93.157
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

=-=-=-=-=-=-=-=-=
  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,what you posted was enough to go off of for now!

Reboot into SAFE MODE(Tap F8 when restarting)


After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...torial=62#winxp

Locate and Delete

C:\msbb_kyf.dat

C:\Program Files\Internet Explorer\vuklhijk.exe


These next 2 I am a bit unsure about as the descriptions are bleak,so if you have no idea what these are or how they made it on the PC,delete them!

F:\active\common\kf141.zip

F:\active\common\keyfinder.exe


Next,we need to clean out all your old emails which I believe you will find in this location

C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx

You should also take a look at your Outlook Express message folders. When you delete a message or move it to another folder, OE simply marks the original message as deleted without actually removing it. Start by right-clicking on the Deleted Items folder and emptying it. Then choose File | Folder | Compact All Folders to free up all the space occupied by those marked messages. If you've never done this before, emptying the folders can take quite a while. Afterward, OE may load noticeably faster.


Once all this is done,have HijackThis fix these

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.active123.com/

R3 - Default URLSearchHook is missing

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...all/install.cab


Exactly which files are you speaking of?

If its all those tmp files,they can go as well,they are temporary files!
  • 0

#12
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again Cretemonster
I'm back from an extended Thanksgiving holliday weekend. (Canada)
I've deleted the suspected virus files and done the recommended fixes with HijackThis.
However when I went to clean out the email logs from Outlook Express (C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx), there was no option upon right-click to "empty" the file. I was going to simply delete the thing but was unsure how Outlook would respond to a missing file. Does it get re-created?

This run I've (from safe mode) re-run Cleanup

Ewido (ran clean - See post)
=-=-=-=-=-=-=-=-=-=-=
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:58:09 PM, 10/12/2005
+ Report-Checksum: C0F8B686

+ Scan result:

No infected objects found.


::Report End
=-=-=-=-=-=-=-=-=-=-=

Ran WinPFind again. (Not sure I like this result - all the "ad-w-a-r-e.com" files - See post)

=-=-=-=-=-=-=-=-=-=-=
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
aspack 10/18/2004 8:47:48 AM 5587526 C:\msbb_kyf.dat

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
qoologic 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
SAHAgent 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\lpt$vpn.817
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
qoologic 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
SAHAgent 9/2/2005 2:15:16 AM 15724881 C:\WINDOWS\VPTNFILE.817
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
WinShutDown 9/20/2005 9:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\afi2dvaa.dll
ad-w-a-r-e.com 9/20/2005 9:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\afi2dvaa.dll
WinShutDown 9/21/2005 6:33:50 PM R S 234272 C:\WINDOWS\SYSTEM32\ajstream.dll
ad-w-a-r-e.com 9/21/2005 6:33:50 PM R S 234272 C:\WINDOWS\SYSTEM32\ajstream.dll
WinShutDown 9/20/2005 8:00:40 PM R S 234272 C:\WINDOWS\SYSTEM32\amfsipc.dll
ad-w-a-r-e.com 9/20/2005 8:00:40 PM R S 234272 C:\WINDOWS\SYSTEM32\amfsipc.dll
WinShutDown 9/20/2005 7:31:38 AM R S 234272 C:\WINDOWS\SYSTEM32\ATPXEC32.DLL
ad-w-a-r-e.com 9/20/2005 7:31:38 AM R S 234272 C:\WINDOWS\SYSTEM32\ATPXEC32.DLL
WinShutDown 9/20/2005 5:23:34 AM R S 234272 C:\WINDOWS\SYSTEM32\ayvapi32.dll
ad-w-a-r-e.com 9/20/2005 5:23:34 AM R S 234272 C:\WINDOWS\SYSTEM32\ayvapi32.dll
WinShutDown 9/22/2005 5:57:16 AM R S 234272 C:\WINDOWS\SYSTEM32\azctres.dll
ad-w-a-r-e.com 9/22/2005 5:57:16 AM R S 234272 C:\WINDOWS\SYSTEM32\azctres.dll
WinShutDown 9/20/2005 2:58:40 PM R S 234272 C:\WINDOWS\SYSTEM32\cbfgnt.dll
ad-w-a-r-e.com 9/20/2005 2:58:40 PM R S 234272 C:\WINDOWS\SYSTEM32\cbfgnt.dll
WinShutDown 9/19/2005 11:16:30 PM R S 234272 C:\WINDOWS\SYSTEM32\chutil.dll
ad-w-a-r-e.com 9/19/2005 11:16:30 PM R S 234272 C:\WINDOWS\SYSTEM32\chutil.dll
WinShutDown 9/22/2005 4:43:18 AM R S 234272 C:\WINDOWS\SYSTEM32\CKMMTB32.DLL
ad-w-a-r-e.com 9/22/2005 4:43:18 AM R S 234272 C:\WINDOWS\SYSTEM32\CKMMTB32.DLL
WinShutDown 9/19/2005 3:59:24 PM R S 234272 C:\WINDOWS\SYSTEM32\cnlbact.dll
ad-w-a-r-e.com 9/19/2005 3:59:24 PM R S 234272 C:\WINDOWS\SYSTEM32\cnlbact.dll
WinShutDown 9/20/2005 12:22:30 AM R S 234272 C:\WINDOWS\SYSTEM32\cpcui.dll
ad-w-a-r-e.com 9/20/2005 12:22:30 AM R S 234272 C:\WINDOWS\SYSTEM32\cpcui.dll
WinShutDown 9/21/2005 5:30:42 AM R S 234272 C:\WINDOWS\SYSTEM32\crmcat.dll
ad-w-a-r-e.com 9/21/2005 5:30:42 AM R S 234272 C:\WINDOWS\SYSTEM32\crmcat.dll
WinShutDown 9/21/2005 2:12:50 PM R S 234272 C:\WINDOWS\SYSTEM32\cTis2022.dll
ad-w-a-r-e.com 9/21/2005 2:12:50 PM R S 234272 C:\WINDOWS\SYSTEM32\cTis2022.dll
WinShutDown 9/22/2005 11:05:24 AM R S 234272 C:\WINDOWS\SYSTEM32\cZpesnpn.dll
ad-w-a-r-e.com 9/22/2005 11:05:24 AM R S 234272 C:\WINDOWS\SYSTEM32\cZpesnpn.dll
WinShutDown 9/21/2005 10:11:48 AM R S 234272 C:\WINDOWS\SYSTEM32\dcnet.dll
ad-w-a-r-e.com 9/21/2005 10:11:48 AM R S 234272 C:\WINDOWS\SYSTEM32\dcnet.dll
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
WinShutDown 9/21/2005 11:32:46 AM R S 234272 C:\WINDOWS\SYSTEM32\dktrans.dll
ad-w-a-r-e.com 9/21/2005 11:32:46 AM R S 234272 C:\WINDOWS\SYSTEM32\dktrans.dll
WinShutDown 9/21/2005 12:09:42 AM R S 234272 C:\WINDOWS\SYSTEM32\dyvenum.dll
ad-w-a-r-e.com 9/21/2005 12:09:42 AM R S 234272 C:\WINDOWS\SYSTEM32\dyvenum.dll
WinShutDown 9/21/2005 6:44:42 AM R S 234272 C:\WINDOWS\SYSTEM32\ews.dll
ad-w-a-r-e.com 9/21/2005 6:44:42 AM R S 234272 C:\WINDOWS\SYSTEM32\ews.dll
WinShutDown 9/19/2005 7:31:30 PM R S 234272 C:\WINDOWS\SYSTEM32\glkrsrc.dll
ad-w-a-r-e.com 9/19/2005 7:31:30 PM R S 234272 C:\WINDOWS\SYSTEM32\glkrsrc.dll
WinShutDown 9/22/2005 9:38:24 AM R S 234272 C:\WINDOWS\SYSTEM32\hltplug.dll
ad-w-a-r-e.com 9/22/2005 9:38:24 AM R S 234272 C:\WINDOWS\SYSTEM32\hltplug.dll
WinShutDown 10/4/2005 9:54:18 AM R S 235212 C:\WINDOWS\SYSTEM32\hrl4053qe.dll
ad-w-a-r-e.com 10/4/2005 9:54:18 AM R S 235212 C:\WINDOWS\SYSTEM32\hrl4053qe.dll
WinShutDown 9/21/2005 4:20:50 PM R S 234272 C:\WINDOWS\SYSTEM32\hYshlib.dll
ad-w-a-r-e.com 9/21/2005 4:20:50 PM R S 234272 C:\WINDOWS\SYSTEM32\hYshlib.dll
WinShutDown 9/20/2005 1:32:30 AM R S 234272 C:\WINDOWS\SYSTEM32\iaetppui.dll
ad-w-a-r-e.com 9/20/2005 1:32:30 AM R S 234272 C:\WINDOWS\SYSTEM32\iaetppui.dll
WinShutDown 9/20/2005 5:34:42 PM R S 234272 C:\WINDOWS\SYSTEM32\idsso.dll
ad-w-a-r-e.com 9/20/2005 5:34:42 PM R S 234272 C:\WINDOWS\SYSTEM32\idsso.dll
WinShutDown 9/20/2005 4:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\ikfxdgps.dll
ad-w-a-r-e.com 9/20/2005 4:21:40 PM R S 234272 C:\WINDOWS\SYSTEM32\ikfxdgps.dll
WinShutDown 9/21/2005 7:52:44 AM R S 234272 C:\WINDOWS\SYSTEM32\irlogmsg.dll
ad-w-a-r-e.com 9/21/2005 7:52:44 AM R S 234272 C:\WINDOWS\SYSTEM32\irlogmsg.dll
WinShutDown 10/2/2005 5:09:12 PM R S 235212 C:\WINDOWS\SYSTEM32\IUX32d56.dll
ad-w-a-r-e.com 10/2/2005 5:09:12 PM R S 235212 C:\WINDOWS\SYSTEM32\IUX32d56.dll
WinShutDown 9/20/2005 11:13:40 AM R S 234272 C:\WINDOWS\SYSTEM32\kcd101a.dll
ad-w-a-r-e.com 9/20/2005 11:13:40 AM R S 234272 C:\WINDOWS\SYSTEM32\kcd101a.dll
WinShutDown 9/19/2005 6:22:38 PM R S 234272 C:\WINDOWS\SYSTEM32\kgdca.dll
ad-w-a-r-e.com 9/19/2005 6:22:38 PM R S 234272 C:\WINDOWS\SYSTEM32\kgdca.dll
WinShutDown 9/20/2005 8:39:38 AM R S 234272 C:\WINDOWS\SYSTEM32\kqdheb.dll
ad-w-a-r-e.com 9/20/2005 8:39:38 AM R S 234272 C:\WINDOWS\SYSTEM32\kqdheb.dll
WinShutDown 9/21/2005 4:18:42 AM R S 234272 C:\WINDOWS\SYSTEM32\kqduzb.dll
ad-w-a-r-e.com 9/21/2005 4:18:42 AM R S 234272 C:\WINDOWS\SYSTEM32\kqduzb.dll
WinShutDown 9/21/2005 5:28:50 PM R S 234272 C:\WINDOWS\SYSTEM32\kydcz2.dll
ad-w-a-r-e.com 9/21/2005 5:28:50 PM R S 234272 C:\WINDOWS\SYSTEM32\kydcz2.dll
WinShutDown 9/22/2005 12:36:52 AM R S 234272 C:\WINDOWS\SYSTEM32\kzdinguj.dll
ad-w-a-r-e.com 9/22/2005 12:36:52 AM R S 234272 C:\WINDOWS\SYSTEM32\kzdinguj.dll
WinShutDown 9/21/2005 8:53:44 AM R S 234272 C:\WINDOWS\SYSTEM32\lirhelp.dll
ad-w-a-r-e.com 9/21/2005 8:53:44 AM R S 234272 C:\WINDOWS\SYSTEM32\lirhelp.dll
WinShutDown 10/2/2005 4:26:58 PM 235741 C:\WINDOWS\SYSTEM32\lv2q09f5e.dll
ad-w-a-r-e.com 10/2/2005 4:26:58 PM 235741 C:\WINDOWS\SYSTEM32\lv2q09f5e.dll
WinShutDown 9/21/2005 8:43:50 PM R S 234272 C:\WINDOWS\SYSTEM32\MFPI.DLL
ad-w-a-r-e.com 9/21/2005 8:43:50 PM R S 234272 C:\WINDOWS\SYSTEM32\MFPI.DLL
WinShutDown 9/21/2005 2:52:42 AM R S 234272 C:\WINDOWS\SYSTEM32\mhfutil.dll
ad-w-a-r-e.com 9/21/2005 2:52:42 AM R S 234272 C:\WINDOWS\SYSTEM32\mhfutil.dll
WinShutDown 9/21/2005 1:25:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mjvcp50.dll
ad-w-a-r-e.com 9/21/2005 1:25:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mjvcp50.dll
WinShutDown 9/20/2005 1:48:38 PM R S 234272 C:\WINDOWS\SYSTEM32\mNg_hook.dll
ad-w-a-r-e.com 9/20/2005 1:48:38 PM R S 234272 C:\WINDOWS\SYSTEM32\mNg_hook.dll
WinShutDown 9/22/2005 8:14:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mprepl40.dll
ad-w-a-r-e.com 9/22/2005 8:14:40 AM R S 234272 C:\WINDOWS\SYSTEM32\mprepl40.dll
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
WinShutDown 9/21/2005 7:36:50 PM R S 234272 C:\WINDOWS\SYSTEM32\mtasn1.dll
ad-w-a-r-e.com 9/21/2005 7:36:50 PM R S 234272 C:\WINDOWS\SYSTEM32\mtasn1.dll
WinShutDown 10/2/2005 5:02:58 PM R S 235212 C:\WINDOWS\SYSTEM32\mv48l9hu1.dll
ad-w-a-r-e.com 10/2/2005 5:02:58 PM R S 235212 C:\WINDOWS\SYSTEM32\mv48l9hu1.dll
WinShutDown 9/22/2005 1:52:52 AM R S 234272 C:\WINDOWS\SYSTEM32\nwmsdba.dll
ad-w-a-r-e.com 9/22/2005 1:52:52 AM R S 234272 C:\WINDOWS\SYSTEM32\nwmsdba.dll
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
WinShutDown 10/2/2005 5:45:40 PM R S 235212 C:\WINDOWS\SYSTEM32\pzrfdisk.dll
ad-w-a-r-e.com 10/2/2005 5:45:40 PM R S 235212 C:\WINDOWS\SYSTEM32\pzrfdisk.dll
Umonitor 8/29/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
WinShutDown 9/20/2005 4:09:34 AM R S 234272 C:\WINDOWS\SYSTEM32\rLsauto.dll
ad-w-a-r-e.com 9/20/2005 4:09:34 AM R S 234272 C:\WINDOWS\SYSTEM32\rLsauto.dll
WinShutDown 9/19/2005 8:59:28 PM R S 234272 C:\WINDOWS\SYSTEM32\rSsman.dll
ad-w-a-r-e.com 9/19/2005 8:59:28 PM R S 234272 C:\WINDOWS\SYSTEM32\rSsman.dll
WinShutDown 9/22/2005 3:19:54 AM R S 234272 C:\WINDOWS\SYSTEM32\rUsauto.dll
ad-w-a-r-e.com 9/22/2005 3:19:54 AM R S 234272 C:\WINDOWS\SYSTEM32\rUsauto.dll
WinShutDown 9/20/2005 12:31:40 PM R S 234272 C:\WINDOWS\SYSTEM32\RYCRES.dll
ad-w-a-r-e.com 9/20/2005 12:31:40 PM R S 234272 C:\WINDOWS\SYSTEM32\RYCRES.dll
WinShutDown 9/19/2005 10:05:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sai.dll
ad-w-a-r-e.com 9/19/2005 10:05:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sai.dll
WinShutDown 9/22/2005 7:08:36 AM R S 234272 C:\WINDOWS\SYSTEM32\SALSRV32.dll
ad-w-a-r-e.com 9/22/2005 7:08:36 AM R S 234272 C:\WINDOWS\SYSTEM32\SALSRV32.dll
WinShutDown 9/21/2005 3:17:50 PM R S 234272 C:\WINDOWS\SYSTEM32\sgftpub.dll
ad-w-a-r-e.com 9/21/2005 3:17:50 PM R S 234272 C:\WINDOWS\SYSTEM32\sgftpub.dll
WinShutDown 9/19/2005 2:39:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sje.dll
ad-w-a-r-e.com 9/19/2005 2:39:28 PM R S 234272 C:\WINDOWS\SYSTEM32\sje.dll
WinShutDown 9/20/2005 9:44:38 AM R S 234272 C:\WINDOWS\SYSTEM32\smell32.dll
ad-w-a-r-e.com 9/20/2005 9:44:38 AM R S 234272 C:\WINDOWS\SYSTEM32\smell32.dll
WinShutDown 10/2/2005 4:26:58 PM R S 235212 C:\WINDOWS\SYSTEM32\sqrwvdrv.dll
ad-w-a-r-e.com 10/2/2005 4:26:58 PM R S 235212 C:\WINDOWS\SYSTEM32\sqrwvdrv.dll
WinShutDown 9/21/2005 10:05:52 PM R S 234272 C:\WINDOWS\SYSTEM32\SXLFREG.DLL
ad-w-a-r-e.com 9/21/2005 10:05:52 PM R S 234272 C:\WINDOWS\SYSTEM32\SXLFREG.DLL
WinShutDown 9/20/2005 6:59:40 PM R S 234272 C:\WINDOWS\SYSTEM32\tfemeui.dll
ad-w-a-r-e.com 9/20/2005 6:59:40 PM R S 234272 C:\WINDOWS\SYSTEM32\tfemeui.dll
WinShutDown 9/21/2005 12:50:56 PM R S 234272 C:\WINDOWS\SYSTEM32\uyrvoica.dll
ad-w-a-r-e.com 9/21/2005 12:50:56 PM R S 234272 C:\WINDOWS\SYSTEM32\uyrvoica.dll
WinShutDown 9/21/2005 11:07:50 PM R S 234272 C:\WINDOWS\SYSTEM32\wahext.dll
ad-w-a-r-e.com 9/21/2005 11:07:50 PM R S 234272 C:\WINDOWS\SYSTEM32\wahext.dll
WinShutDown 9/20/2005 6:28:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wbadss.dll
ad-w-a-r-e.com 9/20/2005 6:28:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wbadss.dll
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown 9/20/2005 10:40:40 PM R S 234272 C:\WINDOWS\SYSTEM32\wii.dll
ad-w-a-r-e.com 9/20/2005 10:40:40 PM R S 234272 C:\WINDOWS\SYSTEM32\wii.dll
WinShutDown 9/20/2005 2:55:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wrdsp.dll
ad-w-a-r-e.com 9/20/2005 2:55:34 AM R S 234272 C:\WINDOWS\SYSTEM32\wrdsp.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/5/2005 6:17:30 PM S 2048 C:\WINDOWS\bootstat.dat
10/4/2005 9:57:08 AM H 54156 C:\WINDOWS\QTFont.qfn
9/20/2005 9:21:40 PM R S 234272 C:\WINDOWS\system32\afi2dvaa.dll
9/21/2005 6:33:50 PM R S 234272 C:\WINDOWS\system32\ajstream.dll
9/20/2005 8:00:40 PM R S 234272 C:\WINDOWS\system32\amfsipc.dll
9/20/2005 7:31:38 AM R S 234272 C:\WINDOWS\system32\ATPXEC32.DLL
9/20/2005 5:23:34 AM R S 234272 C:\WINDOWS\system32\ayvapi32.dll
9/22/2005 5:57:16 AM R S 234272 C:\WINDOWS\system32\azctres.dll
9/20/2005 2:58:40 PM R S 234272 C:\WINDOWS\system32\cbfgnt.dll
9/19/2005 11:16:30 PM R S 234272 C:\WINDOWS\system32\chutil.dll
9/22/2005 4:43:18 AM R S 234272 C:\WINDOWS\system32\CKMMTB32.DLL
9/19/2005 3:59:24 PM R S 234272 C:\WINDOWS\system32\cnlbact.dll
9/20/2005 12:22:30 AM R S 234272 C:\WINDOWS\system32\cpcui.dll
9/21/2005 5:30:42 AM R S 234272 C:\WINDOWS\system32\crmcat.dll
9/21/2005 2:12:50 PM R S 234272 C:\WINDOWS\system32\cTis2022.dll
9/22/2005 11:05:24 AM R S 234272 C:\WINDOWS\system32\cZpesnpn.dll
9/21/2005 10:11:48 AM R S 234272 C:\WINDOWS\system32\dcnet.dll
9/21/2005 11:32:46 AM R S 234272 C:\WINDOWS\system32\dktrans.dll
9/21/2005 12:09:42 AM R S 234272 C:\WINDOWS\system32\dyvenum.dll
9/21/2005 6:44:42 AM R S 234272 C:\WINDOWS\system32\ews.dll
10/4/2005 9:58:46 AM H 23799 C:\WINDOWS\system32\FFASTLOG.TXT
9/19/2005 7:31:30 PM R S 234272 C:\WINDOWS\system32\glkrsrc.dll
10/2/2005 6:06:52 PM R S 233724 C:\WINDOWS\system32\h60qlgd5160.dll
9/22/2005 9:38:24 AM R S 234272 C:\WINDOWS\system32\hltplug.dll
10/4/2005 9:54:18 AM R S 235212 C:\WINDOWS\system32\hrl4053qe.dll
9/21/2005 4:20:50 PM R S 234272 C:\WINDOWS\system32\hYshlib.dll
9/20/2005 1:32:30 AM R S 234272 C:\WINDOWS\system32\iaetppui.dll
9/20/2005 5:34:42 PM R S 234272 C:\WINDOWS\system32\idsso.dll
9/20/2005 4:21:40 PM R S 234272 C:\WINDOWS\system32\ikfxdgps.dll
10/5/2005 6:17:56 PM R S 233724 C:\WINDOWS\system32\ilcvid.dll
9/21/2005 7:52:44 AM R S 234272 C:\WINDOWS\system32\irlogmsg.dll
10/2/2005 5:09:12 PM R S 235212 C:\WINDOWS\system32\IUX32d56.dll
9/20/2005 11:13:40 AM R S 234272 C:\WINDOWS\system32\kcd101a.dll
9/19/2005 6:22:38 PM R S 234272 C:\WINDOWS\system32\kgdca.dll
9/20/2005 8:39:38 AM R S 234272 C:\WINDOWS\system32\kqdheb.dll
9/21/2005 4:18:42 AM R S 234272 C:\WINDOWS\system32\kqduzb.dll
9/21/2005 5:28:50 PM R S 234272 C:\WINDOWS\system32\kydcz2.dll
9/22/2005 12:36:52 AM R S 234272 C:\WINDOWS\system32\kzdinguj.dll
9/21/2005 8:53:44 AM R S 234272 C:\WINDOWS\system32\lirhelp.dll
9/21/2005 8:43:50 PM R S 234272 C:\WINDOWS\system32\MFPI.DLL
9/21/2005 2:52:42 AM R S 234272 C:\WINDOWS\system32\mhfutil.dll
9/21/2005 1:25:40 AM R S 234272 C:\WINDOWS\system32\mjvcp50.dll
9/20/2005 1:48:38 PM R S 234272 C:\WINDOWS\system32\mNg_hook.dll
9/22/2005 8:14:40 AM R S 234272 C:\WINDOWS\system32\mprepl40.dll
9/21/2005 7:36:50 PM R S 234272 C:\WINDOWS\system32\mtasn1.dll
10/2/2005 5:02:58 PM R S 235212 C:\WINDOWS\system32\mv48l9hu1.dll
9/22/2005 1:52:52 AM R S 234272 C:\WINDOWS\system32\nwmsdba.dll
10/4/2005 9:57:00 AM R S 233724 C:\WINDOWS\system32\p0r40a9qed.dll
10/2/2005 5:45:40 PM R S 235212 C:\WINDOWS\system32\pzrfdisk.dll
9/20/2005 4:09:34 AM R S 234272 C:\WINDOWS\system32\rLsauto.dll
9/19/2005 8:59:28 PM R S 234272 C:\WINDOWS\system32\rSsman.dll
9/22/2005 3:19:54 AM R S 234272 C:\WINDOWS\system32\rUsauto.dll
9/20/2005 12:31:40 PM R S 234272 C:\WINDOWS\system32\RYCRES.dll
9/19/2005 10:05:28 PM R S 234272 C:\WINDOWS\system32\sai.dll
9/22/2005 7:08:36 AM R S 234272 C:\WINDOWS\system32\SALSRV32.dll
9/21/2005 3:17:50 PM R S 234272 C:\WINDOWS\system32\sgftpub.dll
9/19/2005 2:39:28 PM R S 234272 C:\WINDOWS\system32\sje.dll
9/20/2005 9:44:38 AM R S 234272 C:\WINDOWS\system32\smell32.dll
10/2/2005 4:26:58 PM R S 235212 C:\WINDOWS\system32\sqrwvdrv.dll
9/21/2005 10:05:52 PM R S 234272 C:\WINDOWS\system32\SXLFREG.DLL
9/20/2005 6:59:40 PM R S 234272 C:\WINDOWS\system32\tfemeui.dll
9/21/2005 12:50:56 PM R S 234272 C:\WINDOWS\system32\uyrvoica.dll
9/21/2005 11:07:50 PM R S 234272 C:\WINDOWS\system32\wahext.dll
9/20/2005 6:28:34 AM R S 234272 C:\WINDOWS\system32\wbadss.dll
9/20/2005 10:40:40 PM R S 234272 C:\WINDOWS\system32\wii.dll
9/20/2005 2:55:34 AM R S 234272 C:\WINDOWS\system32\wrdsp.dll
10/5/2005 6:17:56 PM H 24576 C:\WINDOWS\system32\config\default.LOG
10/5/2005 6:17:52 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/5/2005 6:17:32 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/5/2005 6:20:54 PM H 53248 C:\WINDOWS\system32\config\software.LOG
10/5/2005 6:17:38 PM H 880640 C:\WINDOWS\system32\config\system.LOG
10/2/2005 3:26:32 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8Z6FGF8P\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLAVO12R\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\TODNSRFF\desktop.ini
10/4/2005 9:58:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X9KHAZ27\desktop.ini
10/4/2005 9:55:48 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 10/12/2001 10:30:50 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/11/1997 53520 C:\WINDOWS\SYSTEM32\MLCFG32.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 12:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Sun Microsystems 3/4/2002 4:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 3/25/2003 9:06:28 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/19/2005 1:26:08 PM 1797 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/26/2003 9:22:34 AM 801 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{6192E451-AA25-434C-84B6-5D36583D1DED} = C:\WINDOWS\system32\svrio800.dll
{3E50A167-6BBE-476C-AC57-3593AAC58F55} = C:\WINDOWS\system32\guard.tmp
{AB2377B7-C82A-40C2-ACA4-5DF6FD3585A6} = C:\WINDOWS\system32\sqrwvdrv.dll
{69EBB12A-4ED2-4D54-9275-210814C69C9A} = C:\WINDOWS\system32\ilcvid.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\System32\WEBCHECK.DLL
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/5/2005 6:41:41 PM

=-=-=-=-=-=-=-=-=-=-=

and then the Microsoft/Giant scanner (Ran clean)

=-=-=-=-=-=-=-=-=-=-=

Results from a new Panda scan (not quite totally clean - listed as suspicious file)

=-=-=-=-=-=-=-=-=-=-=

Incident Status Location

Possible Virus. No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93

=-=-=-=-=-=-=-=-=-=-=

Will run a new Kasparsky tomorrow and post that unless otherwise directed. In the meanwhile I've set the security level in "Internet Explorer" to the highest level (Nearly useless).
:tazz:
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well isnt this just wonderful,Look2me has changed once again and the l2mfix isnt working correctly as you can see from the WinPFind log!

Lets try something

Download a fresh copy of the l2m fix to a floppy disc!

Next Download The Hoster to a floppy as well

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!
Exit Program!


Now go to Safe Mode and Log in as the Administrator,not a user account but the actual Admin account!

Install the l2mfix and The Hoster to the Admin account!

Run the l2m fix and select Option 1

Run it again and select Option 4

Run once more and select Option 2

Now run The Hoster just as described and Restart back into Safe Mode under your normal log in name and run a scan with WinPFind again!

Post the results of the WinPFind scan in your next reply!
  • 0

#14
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'm REALLY beginning to hate the guys that wrote this evil piece of code and those who left their OS in such a state as to allow these exploits.

OK here goes for today.

Ran Kaspersy scan first -- Result follows. (this is before l2mfix - and I DID ask for text not HTML)

=-=-=-=-=-=-=-=-=-=
<html>
<head>
<title>KASPERSKY ON-LINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ON-LINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Thursday, October 13, 2005 17:10:48<br>
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)<br>
Kaspersky On-line Scanner version: 5.0.67.0<br>
Kaspersky Anti-Virus database last update: 14/10/2005<br>
Kaspersky Anti-Virus database records: 153867<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\<br>
F:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>34358</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>4</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>21</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>4066 sec</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='300'><b>Virus Name</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/text </td>
<td>Infected: Email-Worm.Win32.Mimail.txt </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip/message.html </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93 </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6 </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe/xpkey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe/officekey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe/xpkey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe/officekey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='2' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>

=-=-=-=-=-=-=-=-=-=
l2mfix next
=-=-=-=-=-=-=-=-=-=

(report file)

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Property Sheet Shell Extension"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{04466240-beb3-11d1-be1c-00aa006b77f4}"="WebDrive Shell Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

No matches found.
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8857-A63C

Directory of C:\WINDOWS\System32

07/02/2005 02:06 PM <DIR> dllcache
04/12/2003 09:45 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 34,694,541,312 bytes free


(log file)

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (208 bytes security) (deflated 2%)
adding: Import.txt (208 bytes security) (deflated 78%)
adding: lo2.txt (208 bytes security) (deflated 43%)
adding: log.txt (208 bytes security) (deflated 94%)
adding: MDacLog.txt (208 bytes security) (deflated 94%)
adding: test.txt (208 bytes security) (stored 0%)
adding: test2.txt (208 bytes security) (stored 0%)
adding: test3.txt (208 bytes security) (stored 0%)
adding: test5.txt (208 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

(restore file)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Warning (option /rga:(ci)) - There is no ACE to remove!


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM

=-=-=-=-=-=-=-=-=-=
WinPFind
=-=-=-=-=-=-=-=-=-=
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\lpt$vpn.889
qoologic 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\lpt$vpn.889
SAHAgent 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\lpt$vpn.889
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\VPTNFILE.889
qoologic 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\VPTNFILE.889
SAHAgent 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\VPTNFILE.889
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/29/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/13/2005 7:19:14 PM S 2048 C:\WINDOWS\bootstat.dat
10/12/2005 9:45:10 PM H 54156 C:\WINDOWS\QTFont.qfn
10/12/2005 9:45:16 PM H 24034 C:\WINDOWS\system32\FFASTLOG.TXT
10/13/2005 7:23:52 PM H 1024 C:\WINDOWS\system32\config\default.LOG
10/13/2005 7:19:30 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/13/2005 7:23:54 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/13/2005 7:23:50 PM H 487424 C:\WINDOWS\system32\config\software.LOG
10/13/2005 7:24:08 PM H 8192 C:\WINDOWS\system32\config\system.LOG
10/2/2005 3:26:32 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2VA8CUE2\desktop.ini
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47E9KCEC\desktop.ini
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CXUBW1MJ\desktop.ini
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZDEXDQ7S\desktop.ini
10/13/2005 7:07:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 10/12/2001 10:30:50 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/11/1997 53520 C:\WINDOWS\SYSTEM32\MLCFG32.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 12:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Sun Microsystems 3/4/2002 4:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 3/25/2003 9:06:28 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/19/2005 1:26:08 PM 1797 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/26/2003 9:22:34 AM 801 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\System32\WEBCHECK.DLL
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/13/2005 7:36:07 PM

=-=-=-=-=-=-=-=-=-=
Finally Kasparsky again (this time saved a an HTML file then cut-n-paste from another browser window)
=-=-=-=-=-=-=-=-=-=
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 13, 2005 21:03:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/10/2005
Kaspersky Anti-Virus database records: 153888
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 34640
Number of viruses found 3
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 4113 sec

Infected Object Name Virus Name
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/text Infected: Email-Worm.Win32.Mimail.txt
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html Infected: Email-Worm.Win32.Mimail.a
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip Infected: Email-Worm.Win32.Mimail.a
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted It
  • 0

#15
LeatherCat

LeatherCat

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I'm REALLY beginning to hate the guys that wrote this evil piece of code and those who left their OS in such a state as to allow these exploits.

OK here goes for today.

Ran Kaspersy scan first -- Result follows. (this is before l2mfix - and I DID ask for text not HTML)

=-=-=-=-=-=-=-=-=-=
<html>
<head>
<title>KASPERSKY ON-LINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ON-LINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Thursday, October 13, 2005 17:10:48<br>
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)<br>
Kaspersky On-line Scanner version: 5.0.67.0<br>
Kaspersky Anti-Virus database last update: 14/10/2005<br>
Kaspersky Anti-Virus database records: 153867<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\<br>
F:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>34358</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>4</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>21</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>4066 sec</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='300'><b>Virus Name</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/text </td>
<td>Infected: Email-Worm.Win32.Mimail.txt </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip/message.html </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED/message.zip </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx/[From "Active-Tech Calgary" <active3@telus.net>][Date Thu, 7 Aug 2003 15:43:51 -0600]/UNNAMED </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Sent Items.dbx </td>
<td>Infected: Email-Worm.Win32.Mimail.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\0EA1D869-C14A-4972-A455-6EDD93 </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\1AFF343E-BA4C-4C6A-9DA7-FCAFCB\CA55C5F4-723A-4925-851C-5B53C6 </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir/WISE0001.BIN </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\temp\ASHeuristic\0EA1D869-C14A-4972-A455-6EDD93.vir </td>
<td>Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe/xpkey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe/officekey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip/keyfinder.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\kf141.zip </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe/xpkey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe/officekey.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>F:\active\common\keyfinder.exe </td>
<td>Infected: not-a-virus:PSWTool.Win32.RAS.a </td>
</tr>
<tr><td colspan='2' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='2' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>

=-=-=-=-=-=-=-=-=-=
l2mfix next
=-=-=-=-=-=-=-=-=-=

(report file)

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BB7DF450-F119-11CD-8465-00AA00425D90}"="Microsoft Access Custom Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.2 Property Sheet Shell Extension"
"{c7745760-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{c7745761-8ead-11ce-b750-02608ca5202c}"="IomegaWare Shell Extension"
"{04466240-beb3-11d1-be1c-00aa006b77f4}"="WebDrive Shell Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

No matches found.
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8857-A63C

Directory of C:\WINDOWS\System32

07/02/2005 02:06 PM <DIR> dllcache
04/12/2003 09:45 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 34,694,541,312 bytes free


(log file)

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (208 bytes security) (deflated 2%)
adding: Import.txt (208 bytes security) (deflated 78%)
adding: lo2.txt (208 bytes security) (deflated 43%)
adding: log.txt (208 bytes security) (deflated 94%)
adding: MDacLog.txt (208 bytes security) (deflated 94%)
adding: test.txt (208 bytes security) (stored 0%)
adding: test2.txt (208 bytes security) (stored 0%)
adding: test3.txt (208 bytes security) (stored 0%)
adding: test5.txt (208 bytes security) (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

(restore file)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Warning (option /rga:(ci)) - There is no ACE to remove!


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM

=-=-=-=-=-=-=-=-=-=
WinPFind
=-=-=-=-=-=-=-=-=-=
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\lpt$vpn.889
qoologic 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\lpt$vpn.889
SAHAgent 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\lpt$vpn.889
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\VPTNFILE.889
qoologic 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\VPTNFILE.889
SAHAgent 10/12/2005 2:36:44 PM 16033311 C:\WINDOWS\VPTNFILE.889
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
PEC2 7/11/1997 163384 C:\WINDOWS\SYSTEM32\ODBCJET.HLP
PEC2 2/28/2002 1:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/29/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 8/24/2005 9:33:20 AM 726208 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/13/2005 7:19:14 PM S 2048 C:\WINDOWS\bootstat.dat
10/12/2005 9:45:10 PM H 54156 C:\WINDOWS\QTFont.qfn
10/12/2005 9:45:16 PM H 24034 C:\WINDOWS\system32\FFASTLOG.TXT
10/13/2005 7:23:52 PM H 1024 C:\WINDOWS\system32\config\default.LOG
10/13/2005 7:19:30 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/13/2005 7:23:54 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/13/2005 7:23:50 PM H 487424 C:\WINDOWS\system32\config\software.LOG
10/13/2005 7:24:08 PM H 8192 C:\WINDOWS\system32\config\system.LOG
10/2/2005 3:26:32 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2VA8CUE2\desktop.ini
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\47E9KCEC\desktop.ini
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CXUBW1MJ\desktop.ini
10/12/2005 8:31:30 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZDEXDQ7S\desktop.ini
10/13/2005 7:07:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 10/12/2001 10:30:50 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/11/1997 53520 C:\WINDOWS\SYSTEM32\MLCFG32.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 12:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Sun Microsystems 3/4/2002 4:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 3/25/2003 9:06:28 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 2:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/29/2002 4:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/19/2005 1:26:08 PM 1797 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/26/2003 9:22:34 AM 801 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/10/2002 10:37:54 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2002 3:27:08 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WebDrive
{04466240-beb3-11d1-be1c-00aa006b77f4} = rfshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
Iomega Startup Options C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\System32\WEBCHECK.DLL
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/13/2005 7:36:07 PM

=-=-=-=-=-=-=-=-=-=
Finally Kasparsky again (this time saved a an HTML file then cut-n-paste from another browser window)
=-=-=-=-=-=-=-=-=-=
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 13, 2005 21:03:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/10/2005
Kaspersky Anti-Virus database records: 153888
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 34640
Number of viruses found 3
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 4113 sec

Infected Object Name Virus Name
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/text Infected: Email-Worm.Win32.Mimail.txt
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip/message.html Infected: Email-Worm.Win32.Mimail.a
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted Items.dbx/[From admin@TELUS.NET][Date Fri, 1 Aug 2003 15:42:37 -0600]/message.zip Infected: Email-Worm.Win32.Mimail.a
C:\Documents and Settings\POS\Local Settings\Application Data\Identities\{104BFBE0-9C5E-4685-89BD-A8F5206A0C49}\Microsoft\Outlook Express\Deleted It
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP