Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer and other pop ups, ad nauseam [RESOLVED]


  • This topic is locked This topic is locked

#31
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
OK, here we go. SAFE MODE, second runs............. will break up in posts so not truncated like earlier...

Spysweeper log.....

********
2:43 PM: | Start of Session, Wednesday, November 09, 2005 |
2:43 PM: Spy Sweeper started
2:43 PM: Sweep initiated using definitions version 569
2:43 PM: Starting Memory Sweep
2:44 PM: Memory Sweep Complete, Elapsed Time: 00:01:07
2:44 PM: Starting Registry Sweep
2:44 PM: Registry Sweep Complete, Elapsed Time:00:00:12
2:44 PM: Starting Cookie Sweep
2:44 PM: Found Spy Cookie: atwola cookie
2:44 PM: andrew@atwola[1].txt (ID = 2255)
2:44 PM: Found Spy Cookie: 2o7.net cookie
2:44 PM: andrew@msnportal.112.2o7[1].txt (ID = 1958)
2:44 PM: Found Spy Cookie: questionmarket cookie
2:44 PM: andrew@questionmarket[1].txt (ID = 3217)
2:44 PM: Found Spy Cookie: trafficmp cookie
2:44 PM: andrew@trafficmp[1].txt (ID = 3581)
2:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:44 PM: Starting File Sweep
2:46 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:46 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\regcode.dll". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "regcode.dll" at Cluster:4904868
2:48 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:48 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\sos.dll". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "sos.dll" at Cluster:4904868
2:48 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:48 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\regasm.exe". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "regasm.exe" at Cluster:4904868
2:48 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:48 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\shfusres.dll". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "shfusres.dll" at Cluster:4904868
2:49 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:49 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\regsvcs.exe". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "regsvcs.exe" at Cluster:4904868
2:49 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:49 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\perfcounter.dll". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "perfcounter.dll" at Cluster:4904868
2:49 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:49 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\windows\microsoft.net\framework\v1.1.4322\shfusion.dll". TLogicalNTFSDisk.FindDirEntry Could not read Cluster "shfusion.dll" at Cluster:4904868
2:56 PM: Found Adware: dealhelper
2:56 PM: a0000118.exe (ID = 163218)
2:58 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:58 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\regcode.dll.
2:58 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:58 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\region.nlp.
2:58 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:58 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\sos.dll.
2:58 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:58 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\prc.nlp.
2:59 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:59 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\prcp.nlp.
2:59 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:59 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\regasm.exe.
2:59 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:59 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\shfusres.dll.
2:59 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:59 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\regsvcs.exe.
2:59 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:59 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\perfcounter.dll.
2:59 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
2:59 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\shfusion.dll.
2:59 PM: Found System Monitor: potentially rootkit-masked files
2:59 PM: system.directoryservices.dll (ID = 0)
3:01 PM: system.data.oracleclient.dll (ID = 0)
3:03 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
3:03 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\sorttbls.nlp.
3:03 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
3:03 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\sortkey.nlp.
3:03 PM: system.web.dll (ID = 0)
3:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
3:05 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\regasm.exe.config.
3:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
3:06 PM: Warning: DDAFileExists failed to resolve the MFT number for: c:\windows\microsoft.net\framework\v1.1.4322\regsvcs.exe.config.
3:07 PM: File Sweep Complete, Elapsed Time: 00:22:35
3:07 PM: Full Sweep has completed. Elapsed time 00:24:03
3:07 PM: Traces Found: 8
3:20 PM: Removal process initiated
3:20 PM: Quarantining All Traces: potentially rootkit-masked files
3:22 PM: Quarantining All Traces: dealhelper
3:22 PM: Quarantining All Traces: 2o7.net cookie
3:22 PM: Quarantining All Traces: atwola cookie
3:22 PM: Quarantining All Traces: questionmarket cookie
3:22 PM: Quarantining All Traces: trafficmp cookie
3:22 PM: Removal process completed. Elapsed time 00:01:24
********
  • 0

Advertisements


#32
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Silentrunners log.......In Safe MODE

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"SecretSmileys" = "C:\PROGRA~1\SECRET~1\ss.exe" ["TAF Technology"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"00THotkey" = "C:\WINDOWS\system32\00THotkey.exe" ["TOSHIBA Corp."]
"000StTHK" = "000StTHK.exe" [null data]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"SigmaTel StacMon" = "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" ["SigmaTel Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]
"Pinger" = "C:\TOSHIBA\IVP\ISM\pinger.exe /run" ["TOSHIBA Corporation"]
"PRONoMgr.exe" = "c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" ["Intel® Corporation"]
"DeviceDiscovery" = "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]
"TFncKy" = "TFncKy.exe" ["TOSHIBA Corporation"]
"POINTER" = "point32.exe" [MS]
"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! Sebring\DLLName = "c:\WINDOWS\System32\LgNotify.dll" ["Intel Corporation"]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [file not found]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS]


Startup items in "Andrew" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Canon PC1200 iC D700 Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM3LAK.EXE !N" ["CANON INC."]
"Microsoft Office OneNote 2003 Quick Launch" -> shortcut to: "C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS]
"RAMASST" -> shortcut to: "C:\WINDOWS\system32\RAMASST.exe" ["Matsushita Electric Industrial Co., Ltd."]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{0E67722E-E309-4341-81BD-3CC3018BF5B3}\ = "My Quick Search Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]
DVD-RAM_Service, DVD-RAM_Service, "C:\WINDOWS\System32\DVDRAMSV.exe" ["Matsushita Electric Industrial Co., Ltd."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
RegSrvc, RegSrvc, "C:\WINDOWS\System32\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\System32\S24EvMon.exe" ["Intel Corporation "]
Swupdtmr, Swupdtmr, "c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe" [null data]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 14 seconds.
---------- (total run time: 80 seconds)
  • 0

#33
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
..WINPFIND log.....[i]

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 11/22/2004 8:00:46 PM 535838720 C:\WINDOWS\MEMORY.DMP
aspack 11/22/2004 8:00:46 PM 535838720 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 8/4/2004 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 12/10/2003 2:36:10 PM 236544 C:\WINDOWS\SYSTEM32\divxdec.ax
SAHAgent 8/10/2005 3:06:52 PM 35 C:\WINDOWS\SYSTEM32\f504an59.ini
SAHAgent 11/7/2005 6:06:22 PM 3642 C:\WINDOWS\SYSTEM32\ktl3d11r.ini
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
SAHAgent 8/10/2005 3:06:52 PM 35 C:\WINDOWS\SYSTEM32\ll90ks5q.ini
PECompact2 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
PTech 11/3/2005 12:13:50 AM 838236 C:\WINDOWS\SYSTEM32\NewAaqeobu1.xml
PTech 11/3/2005 12:13:50 AM 838236 C:\WINDOWS\SYSTEM32\NewZfgoplu1.xml
aspack 8/4/2004 7:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 7:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/9/2005 2:41:04 PM S 2048 C:\WINDOWS\bootstat.dat
11/8/2005 9:33:42 PM H 24 C:\WINDOWS\p2gqa
11/6/2005 10:59:40 PM H 54156 C:\WINDOWS\QTFont.qfn
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 5:17:42 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/9/2005 2:44:24 PM H 16384 C:\WINDOWS\system32\config\default.LOG
11/9/2005 2:41:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/9/2005 2:41:06 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/9/2005 10:02:20 PM H 135168 C:\WINDOWS\system32\config\software.LOG
11/9/2005 2:42:32 PM H 905216 C:\WINDOWS\system32\config\system.LOG
11/8/2005 4:30:20 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
11/8/2005 4:28:30 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\d34e481e-f852-469c-b55a-971eb44a7a54
11/8/2005 4:28:30 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11/9/2005 9:48:40 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
TOSHIBA Corp. 8/21/2003 10:20:54 PM 507904 C:\WINDOWS\SYSTEM32\HWSETUP.CPL
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 2:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 9/24/2003 9:00:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 12/10/2003 4:26:02 AM 77824 C:\WINDOWS\SYSTEM32\PRAppltW.cpl
Apple Computer, Inc. 7/27/2003 1:05:54 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
SigmaTel Inc. 8/19/2003 9:03:08 PM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
9/5/2003 4:36:40 PM 495616 C:\WINDOWS\SYSTEM32\TOSCDSPD.cpl
TOSHIBA Corporation 9/25/2003 9:20:12 AM 1245184 C:\WINDOWS\SYSTEM32\TPwrSave.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 7:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
3/24/2005 4:37:16 PM 1062 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon PC1200 iC D700 Status Window.LNK
9/14/2004 9:14:00 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/6/2004 6:58:14 PM 1805 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
2/6/2004 7:53:04 PM 1497 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/14/2004 9:00:46 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
4/4/2005 2:55:58 PM 6 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt

Checking files in %USERPROFILE%\Startup folder...
2/6/2004 6:50:38 PM HS 84 C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
2/6/2004 10:41:28 AM HS 62 C:\Documents and Settings\Andrew\Application Data\desktop.ini
6/2/2004 9:42:32 PM 0 C:\Documents and Settings\Andrew\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{98775A51-B636-49C2-B18C-2353941A7CC1} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{8C504614-A455-4CBA-81B4-D279644B8A7D}
= tfaxext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
00THotkey C:\WINDOWS\system32\00THotkey.exe
000StTHK 000StTHK.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
SigmaTel StacMon C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
AGRSMMSG AGRSMMSG.exe
TouchED C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
Pinger C:\TOSHIBA\IVP\ISM\pinger.exe /run
PRONoMgr.exe c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
HP Software Update C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
ShStatEXE "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
TPSMain TPSMain.exe
TFncKy TFncKy.exe
POINTER point32.exe
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TOSCDSPD C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
SecretSmileys C:\PROGRA~1\SECRET~1\ss.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^WASTE.lnk
path C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\WASTE.lnk
backup C:\WINDOWS\pss\WASTE.lnkStartup
location Startup
command C:\PROGRA~1\WASTE\waste.exe
item WASTE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\B'sCLiP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BSCLIP
hkey HKLM
command C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item BSCLIP
hkey HKLM
command C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BullsEye Network
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bargains
hkey HKLM
command C:\Program Files\BullsEye Network\bin\bargains.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bargains
hkey HKLM
command C:\Program Files\BullsEye Network\bin\bargains.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Drag'n Drop CD+DVD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DragDrop
hkey HKLM
command C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DragDrop
hkey HKLM
command C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\File Find
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dtc
hkey HKLM
command C:\WINDOWS\dtc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dtc
hkey HKLM
command C:\WINDOWS\dtc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ICQ Lite
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command C:\Program Files\ICQLite\ICQLite.exe -minimize
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICQLite
hkey HKLM
command C:\Program Files\ICQLite\ICQLite.exe -minimize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Gateway
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\Media Gateway\MediaGateway.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\Media Gateway\MediaGateway.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MetalSpy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MetalSpy
hkey HKLM
command C:\Program Files\MetalSpy\MetalSpy.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MetalSpy
hkey HKLM
command C:\Program Files\MetalSpy\MetalSpy.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\salm
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item salm
hkey HKLM
command c:\program files\180searchassistant\salm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item salm
hkey HKLM
command c:\program files\180searchassistant\salm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebSavingsFromEbates0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebSavingsFromEbates0
hkey HKLM
command "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebSavingsFromEbates0
hkey HKLM
command "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring
= c:\WINDOWS\System32\LgNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/9/2005 10:22:22 PM
  • 0

#34
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
:tazz: and finally ..Uninstall List....

Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AOL Instant Messenger
ArcSoft Software Suite
AT&T Connection Services Manager
B's CLiP
Canon PC1200/iC D700
CD/DVD Drive Acoustic Silencer
CleanUp!
Diablo II
DivX Player
DVD-RAM Driver
Easy CD & DVD Creator 6
eMule
ewido security suite
HijackThis 1.99.1
hp deskjet 5800
hp deskjet 5800 series
HP Photo and Imaging 2.0 - Deskjet Series
HP Software Update
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wireless
InterActual Player
InterVideo WinDVD 4
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Kaspersky On-line Scanner
LimeWire 4.9.30
LiveUpdate 1.90 (Symantec Corporation)
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee VirusScan Enterprise
Memory Module Check Utility
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Works 7.0
MSN Music Assistant
My Quick Search Bar
Notebook Maximizer
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PCPitstop Panda AntiVirus Scan (remove only)
PrintScreen
Quicken 2004
QuickTime
RealPlayer
Remove DivX Codec
Search Assistant - My Quick Search
SecretSmileys
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Select CashBack
SigmaTel AC97 Audio Drivers
Spy Sweeper
Spybot - Search & Destroy 1.3
SurfHere by Toshiba
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Display Devices Change Utility
TOSHIBA Fax Extension
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.05.00
TOSHIBA Utilities
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Viewpoint Media Player
WASTE (remove only)
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinMX
  • 0

#35
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

You may wish to save/print out these instructions as you may not have access to them in safe mode.

Please copy and paste the text below into notepad exactly as it is.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BullsEye Network]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Gateway]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\salm]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebSavingsFromEbates0]

Save as FixMe.reg - Make sure to save it as type All Files.

Please boot into safe mode by tapping the F8 key as your computer starts up.

Go to Add/Remove Programs and uninstall the following:

Search Assistant - My Quick Search - See if this will uninstall.
Select CashBack

Then remove the following files/folders:

C:\WINDOWS\SYSTEM32\f504an59.ini
C:\WINDOWS\SYSTEM32\ktl3d11r.ini
C:\WINDOWS\SYSTEM32\ll90ks5q.ini
C:\WINDOWS\SYSTEM32\NewAaqeobu1.xml
C:\WINDOWS\SYSTEM32\NewZfgoplu1.xml
C:\WINDOWS\p2gqa
C:\Program Files\BullsEye Network
C:\program files\180searchassistant

Run FixMe.reg

Reboot into normal mode and see how your computer is running. :tazz:
  • 0

#36
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
OnNT, does REGEDIT4 need to be the first line of the file? How specifically RUN FixMe.reg? Thanks.
  • 0

#37
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

Please copy and paste the text below into notepad exactly as it is.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BullsEye Network]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Gateway]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\salm]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebSavingsFromEbates0]

Save as FixMe.reg - When you save it, under Save As Type, select All Files.

When you run it, double click it, and it will ask if you want to allow it to merge with the registry, answer yes.

It should say it was entered successfully.

Forgot to proof read. :tazz:
  • 0

#38
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Thank you for help to date. Neither add/remove would work, myquicksearch missing the req file, but select cashback did ask to remove itself from the menu, and did. First six files done ok, but Bullseye Network and 180searchassistant were not to be found, visually or using search. hidden and system files still visible. Still get an end program - Sample at shutdown and forced to click end to shutdown/reboot. Looking at rest of operation. ReRan spysweeper, it still reports hidden files in .net, of the type could be rootkit. does not del them. Let me know what you think.. THANKS
  • 0

#39
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, middie042.

Let's get rid of those corrupted uninstall entries.
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the entries you wish to delete
  • Search Assistant - My Quick Search
  • My Quick Search Bar
  • Click on Delete this entry for each
  • Click "Yes"

Still get an end program - Sample at shutdown


Can you get a screenshot of that or anything? Does it give the name of the program?

As for the possible rookit problem...

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

  • 0

#40
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Hello OwNt, all things are running well. When reviewing some of the logs, I noticed the MFC and checksum errors. I performed a scandisk on bootup with fix all errors. THe files spysweeper thought were possible rootkit appeared to be orphan files. All orphan files were repaired, and subsequent ss run reported clean! I believe that took care of that. Did not d/l the rootkit revealer, don't think necessary. As far as the SAMPLE message on shutdown, it is infrequent and hasnt happened again. Can't copy to clipboard and paint as it is in shutdown process, so I will skip it from further work right now.

Great Job for me. A real learning experience and i appreciate all of the input and help provided! G2G certainly does ROCK! :tazz: Thanks very much for all of your dedicated and expert help. I will see you around I am sure. Thank you.
  • 0

Advertisements


#41
Middie042

Middie042

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 382 posts
Mark this as closed and resolved!!! Thanks again.

Edited by middie042, 10 November 2005 - 08:43 PM.

  • 0

#42
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Please Re-Hide Hidden Files and Folders

Here are some tips to help keep the laptop secure in the future.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Edited by OwNt, 10 November 2005 - 10:31 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP