Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Forgot something [RESOLVED]


  • This topic is locked This topic is locked

#16
HowieDMB22

HowieDMB22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 11/7/2005 8:07:02 PM 203302 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...
FSG! 9/23/2002 7:12:22 PM 524166 C:\Program Files\Winamp 3.15.exe

Checking %WinDir% folder...
PTech 6/2/2004 2:54:12 PM 20522 C:\WINDOWS\installer2.exe
UPX! 3/23/2004 5:25:52 PM 236715 C:\WINDOWS\Key5.txt
PTech 6/2/2004 9:06:48 PM 20522 C:\WINDOWS\landing.html
UPX! 3/23/2004 5:25:52 PM 416979 C:\WINDOWS\UnstSA5.exe
UPX! 6/6/2004 6:48:30 PM 214168 C:\WINDOWS\whCC-MOTOR.exe
UPX! 7/6/2005 1:03:18 PM 63232 C:\WINDOWS\wsem303.dll

Checking %System% folder...
UPX! 6/2/2003 5:12:30 PM 18432 C:\WINDOWS\SYSTEM32\Agent.dlltmp
abetterinternet.com 12/4/2003 9:38:42 PM 135168 C:\WINDOWS\SYSTEM32\bi9.exe_
abetterinternet.com 7/3/2004 2:58:20 PM 135168 C:\WINDOWS\SYSTEM32\biC.exe_
UPX! 10/1/2004 10:10:22 PM 124416 C:\WINDOWS\SYSTEM32\bUS.dll
aspack 10/1/2004 10:10:22 PM 124416 C:\WINDOWS\SYSTEM32\bUS.dll
UPX! 2/25/2003 8:59:40 PM 7168 C:\WINDOWS\SYSTEM32\ctbv.dlltmp
UPX! 3/26/2003 8:25:24 PM 38400 C:\WINDOWS\SYSTEM32\ctbv2.dll
PEC2 7/21/2001 4:15:34 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 3/28/2003 8:35:16 PM 7168 C:\WINDOWS\SYSTEM32\exactsetup.dlltmp
UPX! 12/5/2003 9:32:10 PM 34816 C:\WINDOWS\SYSTEM32\ezStub3.dll
UPX! 4/27/2004 8:07:00 PM 238592 C:\WINDOWS\SYSTEM32\KVIF_11.dlltmp
PTech 6/11/2004 12:13:06 PM H 3279394 C:\WINDOWS\SYSTEM32\kyf.dat
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
PECompact2 10/4/2005 9:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/4/2005 9:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 8/22/2001 7:00:00 PM 86030 C:\WINDOWS\SYSTEM32\msdjgk.dll
UPX! 8/22/2001 7:00:00 PM 218624 C:\WINDOWS\SYSTEM32\mseggo.gif
UPX! 8/22/2001 7:00:00 PM 215040 C:\WINDOWS\SYSTEM32\msfaol.dll
UPX! 1/26/2003 8:51:46 PM 2048 C:\WINDOWS\SYSTEM32\msietn.dlltmp
UPX! 12/5/2003 9:32:12 PM 37888 C:\WINDOWS\SYSTEM32\n3tpa1i.dll
UPX! 2/8/2003 11:51:58 PM 30720 C:\WINDOWS\SYSTEM32\netpals.dll
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
Umonitor 2/12/2002 5:14:12 PM 630784 C:\WINDOWS\SYSTEM32\SET1D0.tmp
UPX! 1/20/2005 1:47:50 PM 175616 C:\WINDOWS\SYSTEM32\strings.exe
UPX! 6/14/2003 10:17:18 PM 3072 C:\WINDOWS\SYSTEM32\szla.dlltmp
UPX! 5/25/2003 6:35:22 PM 2048 C:\WINDOWS\SYSTEM32\wb.dlltmp
winsync 7/21/2001 4:23:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
69.59.186.63 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
209.66.67.134 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.97 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.77 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
web-nex 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
winsync 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
rec2_run 8/30/2005 7:00:12 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/7/2005 8:10:36 PM S 2048 C:\WINDOWS\bootstat.dat
11/7/2005 8:09:00 PM H 24 C:\WINDOWS\p1JwG
10/4/2005 8:17:40 PM S 21737 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 6:15:08 PM S 11084 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
11/7/2005 8:10:24 PM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG
11/7/2005 8:10:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
11/7/2005 8:10:40 PM H 16384 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
11/7/2005 8:11:14 PM H 106496 C:\WINDOWS\SYSTEM32\config\software.LOG
11/7/2005 8:10:50 PM H 978944 C:\WINDOWS\SYSTEM32\config\system.LOG
10/21/2005 7:15:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\NTUSER.DAT.LOG
9/26/2005 8:52:08 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\b1765816-92b2-48da-b814-c785d128b8bd
9/26/2005 8:52:08 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/7/2005 8:09:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/7/2001 8:00:08 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 12:37:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 12:37:02 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINDOWS\SYSTEM32\plugincpl131_04.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft 3/2/1999 8:10:02 PM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 12:37:02 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
8/30/2005 7:00:12 PM 31744 C:\WINDOWS\SYSTEM32\vgactl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 12:37:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 12:37:02 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 12:37:02 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/29/2003 10:28:58 AM 849 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 6.0 Tray Icon.lnk
11/6/2001 4:36:08 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/7/2005 3:59:52 PM 228352 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oxhi.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/6/2001 8:27:24 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/17/2001 2:22:52 PM 36864 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
11/6/2001 4:36:08 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/6/2001 8:27:24 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{54F4E7DF-1CD4-4460-B6E8-3B8459B2EA75} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mfnqtm
{c94df44a-2dad-428b-ad49-825ec918dc26} = C:\WINDOWS\System32\lcwpoa.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mfnqty
{dc9bd652-f165-4fac-93ac-17d6514746ce} = C:\WINDOWS\system32\lcwpou.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mfnqtymg
{8e606a7f-35e7-43e9-bacd-4dac1c524df4} = C:\WINDOWS\system32\kfelr.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StopSignRCS
{BB83FD23-AC96-472D-8AA2-7D8560A61D1A} =

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\system32\wuauclt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
ButtonText = Bodog Poker : C:\Program Files\Bodog Poker\GameClient.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
winsync C:\WINDOWS\system32\pwikra.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Microsoft Works Update Detection c:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM95\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM95\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\babeie
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CNBabe
hkey HKLM
command rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CNBabe
hkey HKLM
command rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BearShare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BearShare
hkey HKLM
command "C:\Program Files\BearShare\BearShare.exe" /pause
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BearShare
hkey HKLM
command "C:\Program Files\BearShare\BearShare.exe" /pause
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BJCFD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CFD
hkey HKLM
command C:\Program Files\BroadJump\Client Foundation\CFD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CFD
hkey HKLM
command C:\Program Files\BroadJump\Client Foundation\CFD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Browser Pal
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adblck
hkey HKLM
command C:\PROGRA~1\BROWSE~1\adblck.exe -s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item adblck
hkey HKLM
command C:\PROGRA~1\BROWSE~1\adblck.exe -s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ComcastSUPPORT
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tgkill
hkey HKLM
command C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tgkill
hkey HKLM
command C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ConMgr.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ConMgr
hkey HKLM
command "C:\Program Files\EarthLink 5.0\ConMgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ConMgr
hkey HKLM
command "C:\Program Files\EarthLink 5.0\ConMgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DownloadWare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dw
hkey HKLM
command "C:\Program Files\DownloadWare\dw.exe" /H
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dw
hkey HKLM
command "C:\Program Files\DownloadWare\dw.exe" /H
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EanthologyApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EANTHO~1
hkey HKLM
command C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EANTHO~1
hkey HKLM
command C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBD
hkey HKLM
command C:\HP\KBD\KBD.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBD
hkey HKLM
command C:\HP\KBD\KBD.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ??? ??? ??? ? ? ?

hkey HKCU
command ??? ??? ??? ? ? ?

inimapping 1
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ??? ??? ??? ? ? ?

hkey HKCU
command ??? ??? ??? ? ? ?

inimapping 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command C:\Program Files\mcafee.com\Agent\mcagent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command C:\Program Files\mcafee.com\Agent\mcagent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcupdate
hkey HKLM
command C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MediaLoads Installer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dw
hkey HKLM
command "C:\Program Files\DownloadWare\dw.exe" /H
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dw
hkey HKLM
command "C:\Program Files\DownloadWare\dw.exe" /H
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Works Update Detection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WkDetect
hkey HKCU
command c:\Program Files\Microsoft Works\WkDetect.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WkDetect
hkey HKCU
command c:\Program Files\Microsoft Works\WkDetect.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\New.net Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NEWDOT~2
hkey HKLM
command rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PromulGate
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PgMonitr
hkey HKLM
command "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PgMonitr
hkey HKLM
command "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PS2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ps2
hkey HKLM
command C:\WINDOWS\system32\ps2.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ps2
hkey HKLM
command C:\WINDOWS\system32\ps2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Recguard
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RECGUARD
hkey HKLM
command C:\WINDOWS\SMINST\RECGUARD.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RECGUARD
hkey HKLM
command C:\WINDOWS\SMINST\RECGUARD.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ??? ??? ??? ? ? ?

hkey HKCU
command ??? ??? ??? ? ? ?

inimapping 1
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ??? ??? ??? ? ? ?

hkey HKCU
command ??? ??? ??? ? ? ?

inimapping 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\mcafee.com\VSO\mcvsshld.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command C:\Program Files\mcafee.com\VSO\mcvsshld.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\wcmdmgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wcmdmgrl
hkey HKLM
command C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wcmdmgrl
hkey HKLM
command C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WeatherCast
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Weather
hkey HKCU
command C:\Program Files\WeatherCast\Weather.exe /q
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Weather
hkey HKCU
command C:\Program Files\WeatherCast\Weather.exe /q
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Save
hkey HKLM
command C:\PROGRA~1\Save\Save.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Save
hkey HKLM
command C:\PROGRA~1\Save\Save.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Winampa
hkey HKLM
command "C:\Program Files\Winamp\Winampa.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Winampa
hkey HKLM
command "C:\Program Files\Winamp\Winampa.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinStart001.EXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WinStart001
hkey HKLM
command C:\WINDOWS\System\WinStart001.EXE -b
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WinStart001
hkey HKLM
command C:\WINDOWS\System\WinStart001.EXE -b
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WINSTA~1.EXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WINSTA~1
hkey HKLM
command C:\WINDOWS\System\WINSTA~1.EXE -b
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WINSTA~1
hkey HKLM
command C:\WINDOWS\System\WINSTA~1.EXE -b
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WT GameChannel
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GameChannel
hkey HKLM
command C:\Program Files\WildTangent\Apps\GameChannel.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GameChannel
hkey HKLM
command C:\Program Files\WildTangent\Apps\GameChannel.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/7/2005 8:47:57 PM
  • 0

Advertisements


#17
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please run msconfig and enable all startup items. It looks like you some malware in there and unless they are enabled we can't use Hijackthis to remove them.



Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfnqtm]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfnqty]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\mfnqtymg]

[-HKEY_CLASSES_ROOT\CLSID\{c94df44a-2dad-428b-ad49-825ec918dc26}]

[-HKEY_CLASSES_ROOT\CLSID\{dc9bd652-f165-4fac-93ac-17d6514746ce}]

[-HKEY_CLASSES_ROOT\CLSID\{8e606a7f-35e7-43e9-bacd-4dac1c524df4}]

Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!


Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\installer2.exe
      C:\WINDOWS\Key5.txt
      C:\WINDOWS\landing.html
      C:\WINDOWS\UnstSA5.exe
      C:\WINDOWS\whCC-MOTOR.exe
      C:\WINDOWS\wsem303.dll
      C:\WINDOWS\SYSTEM32\bi9.exe_
      C:\WINDOWS\SYSTEM32\biC.exe_
      C:\WINDOWS\SYSTEM32\bUS.dll
      C:\WINDOWS\SYSTEM32\bUS.dll
      C:\WINDOWS\SYSTEM32\ctbv.dlltmp
      C:\WINDOWS\SYSTEM32\ctbv2.dll
      C:\WINDOWS\SYSTEM32\exactsetup.dlltmp
      C:\WINDOWS\SYSTEM32\ezStub3.dll
      C:\WINDOWS\SYSTEM32\KVIF_11.dlltmp
      C:\WINDOWS\SYSTEM32\kyf.dat
      C:\WINDOWS\SYSTEM32\msdjgk.dll
      C:\WINDOWS\SYSTEM32\mseggo.gif
      C:\WINDOWS\SYSTEM32\msfaol.dll
      C:\WINDOWS\SYSTEM32\msietn.dlltmp
      C:\WINDOWS\SYSTEM32\n3tpa1i.dll
      C:\WINDOWS\SYSTEM32\netpals.dll
      C:\WINDOWS\SYSTEM32\szla.dlltmp
      C:\WINDOWS\SYSTEM32\wb.dlltmp
      C:\WINDOWS\SYSTEM32\wuauclt.dll
      C:\WINDOWS\SYSTEM32\vgactl.cpl
      C:\WINDOWS\system32\lcwpou.dll
      C:\WINDOWS\System32\lcwpoa.dll
      C:\WINDOWS\system32\kfelr.dll
      C:\WINDOWS\system32\pwikra.exe
      C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oxhi.exe
      C:\Program Files\CommonName\Toolbar\CNBabe.dll
      C:\Program Files\DownloadWare\dw.exe

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.


Please post a new hijackthis log.
  • 0

#18
HowieDMB22

HowieDMB22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:50:30 PM, on 11/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.rioport.com/HPMusic
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pwikra.exe reg_run
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: Ultra Virtual Desktop.lnk = C:\Program Files\Ultra Networks Software\Ultra Virtual Desktop\UVDesktop.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {91F1D42A-19FD-4E7F-AF32-4FF8ED49DF65} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {934A2095-3792-464D-B085-B718EDEC51C5} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A11EB36E-3761-417D-9FFD-5A352192CE69} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://neteye.pct.ed...sCamControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#19
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please fix this line with Hijackthis.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pwikra.exe reg_run

Reboot and post a new hijackthis log.
How are things running now?
  • 0

#20
HowieDMB22

HowieDMB22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:23:58 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.rioport.com/HPMusic
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: Ultra Virtual Desktop.lnk = C:\Program Files\Ultra Networks Software\Ultra Virtual Desktop\UVDesktop.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {91F1D42A-19FD-4E7F-AF32-4FF8ED49DF65} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {934A2095-3792-464D-B085-B718EDEC51C5} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {A11EB36E-3761-417D-9FFD-5A352192CE69} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://neteye.pct.ed...sCamControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#21
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
How are things working for you now? Any problems?
  • 0

#22
HowieDMB22

HowieDMB22

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Well, no more Movieland Popups and I see you also got rid of Ultra Virtual Desktop and that was another thing that appeared at start up. Other than that its been running smoothly. I don't have a whole lot of room on this computer and its pretty old so its a bit lethargic but thats usual. Sorry about the delay a couple days ago, i didnt receive a reply notification. I really appreciate all the help. I would make a donation but honestly im only 16 and i dont really have the capability to do so. If theres anything else i should do i guess i'll get an e-mail about it. Thanks again!
  • 0

#23
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0

#24
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP