Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trouble with pop-ups [RESOLVED]


  • This topic is locked This topic is locked

#1
drenton

drenton

    New Member

  • Member
  • Pip
  • 8 posts
Thanks for having a look at my problem. I've been having pop-ups for various ads in separate windows whenever internet explore is open (and on 1 occasion when I used Firefox). I've tried many programs over the last days to weeks: cwshredder, microsoft antipsyware, spybot S&D, ad-aware SE, adware away, trendmicro housecall, and Ewido security center. There is a program in my add/delete software tha I haven't removed yet. When I hit remove it brings up a webpage: http://command.adser...m/uninstall.php

I haven't had the nerve to try it. I tried to search the web for information about the program and have not found anything. Any help would be great.

Here's my Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:49:08 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Douglas Renton\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omaha.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://omaha.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O15 - Trusted Zone: *.ngb.army.mil
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.info...in/ifhelper.cab
O16 - DPF: {479B29EF-9A2C-11D0-B696-00A0C903487A} - file://C:\LCJ5INST\wwwroot\IDXLCJ\lcj\Lastword_Client_for_Java-Standalone.CAB
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - http://pacsweb/magic...ientInstall.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O16 - DPF: {F1A9DAA5-FB03-4CF7-B6B4-35EBD4ED60B1} (AXUpload Control) - https://giftzclub.com/OCX/AXUpload.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Douglas and welcome to Geeks to Go

The programme you mention is not showing up on your HJT log and the only entry I would change is the 015 trusted zone, but you may have deliberately set it. You are probably right not to go to the linked website for "removal" Let's start with a scan.

Download:
Ewido Security Suite

Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Post back a fresh HijackThis log (from normal mode) and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and I will take another look.
  • 0

#3
drenton

drenton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks, here's the logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:07:42 AM, 11/9/2005
+ Report-Checksum: DD629D4B

+ Scan result:

C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@coxhsi.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@ehealthcaresolutions.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@northwestairlines.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Cookies\douglas renton@tribuneinteractive.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Douglas Renton\Local Settings\Temporary Internet Files\Content.IE5\390GP7FL\mm[1].js -> Spyware.Chitika : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 6:13:38 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Douglas Renton\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omaha.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://omaha.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O15 - Trusted Zone: *.ngb.army.mil
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.info...in/ifhelper.cab
O16 - DPF: {479B29EF-9A2C-11D0-B696-00A0C903487A} - file://C:\LCJ5INST\wwwroot\IDXLCJ\lcj\Lastword_Client_for_Java-Standalone.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - http://pacsweb/magic...ientInstall.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O16 - DPF: {F1A9DAA5-FB03-4CF7-B6B4-35EBD4ED60B1} (AXUpload Control) - https://giftzclub.com/OCX/AXUpload.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Ad-aware 6 Personal
Adobe Acrobat 5.0
Adware Away v2.2.8.9
America's Army
AnyDVD
AportisDoc PDF Converter
ArcSoft Camera Suite 2.1
ASGE 2003
ASGE Manual
ATI Control Panel
ATI Display Driver Utilities
AvantGo Client
AVI Info
Backup Dell-Installed Programs
BackupBuddy for Windows
BroadJump Client Foundation
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CheckIt 86
Citrix ICA Client
CLIE Organizer for PC
CLIE SCSI Driver
CLIE Update Wizard
CloneCD
CloneDVD2
Command
CorrectConnect
Data Export
DivX Codec
DivX Player
Documents To Go
DVD Solution
ePocrates ePocrates software for PalmOS
Epocrates Essentials
Essentials
ewido security suite
ffdshow (remove only)
FlashFXP v3
FlashGet(JetCar)
Forté Agent
GiftzClub Uploader
GrabIt 1.5.1 Beta (build 888)
GSpot Codec Information Appliance
HanDBase® for Palm OS v3.0
HanDBase® for Palm OS v3.0
HijackThis 1.99.1
Hitman: Contracts
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Image Converter 1.1
InCD
InterActual Player
InterVideo WinDVD
iSilo
iSiloX
IsoBuster 1.7
iTunes
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_05
Kinoma Producer 3
LastWord Client for Java - Standalone
LCJ
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
MARGI Presenter-to-Go
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Broadband Networking
Microsoft Data Access Components KB870669
Microsoft Office PowerPoint 2003 Template Pack 1
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office Professional Edition 2003
Microsoft Office XP Media Content
Microsoft Producer
Microsoft Windows Journal Viewer
MobiPocket Reader
Mozilla Firefox (1.0.4)
MSN Gaming Zone
MSN Messenger 7.0
MSN Music Assistant
MSXML4 Parser
Multimedia Launcher
nAVI Vx3 MPEG-4 Codec
Nero OEM
Nic's XviD Decoder
Palm Desktop
Palm Desktop and Synchronization Software
Panda ActiveScan
PCFriendly
PDA Toolbox 6.0 SP1
Photogather for Palm OS Desktop
PowerDVD
PowerProducer
QuickLinks
QuickPar 0.9
QuickTime
RealPlayer
RepliGo Desktop (remove only)
RepliGo Viewer (remove only)
Rio Support
RioPort Audio Manager
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Shockwave
Soldat 1.3
Spybot - Search & Destroy 1.4
Star Wars Galactic Battlegrounds: Saga
StatCoder.com STAT Cholesterol_GrowthCharts_Cardiac Clearance_JNC 7_GRACE
Symantec AntiVirus
The Incredible Machine: Even More Contraptions
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
UpToDate
VG Factory Build 081704
VPN Client
WardWatch v3.1
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows SR 2.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinImage
WinPcap 3.0
WinRAR archiver
XBC 4.1
XBC 4.1 beta
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME)
yEnc32 (remove only)
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Douglas

After looking at your system in more depth, these are the changes I propose to your HJT log.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O15 - Trusted Zone: *.ngb.army.mil
O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - http://pacsweb/magic...ientInstall.cab
O16 - DPF: {F1A9DAA5-FB03-4CF7-B6B4-35EBD4ED60B1} (AXUpload Control) - https://giftzclub.com/OCX/AXUpload.ocx


Click on Fix Checked when finished and exit HijackThis.

This is the result of your installed programmes list:

InterActual Player – Malware. Uninstall

GiftzClub Uploader – Suspected to be malware
Command – Suspected to be malware

Essentials - Unknown
LCJ – Unknown

Mozilla Firefox (1.0.4) – Out of date. Update to version 1.0.7
MSN Messenger 7.0 – Out of date. Update to version 7.5

Download:WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into Safe Mode: please see here if you are not sure how to do this.

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart normally and post the contents of WinPFind.txt
  • 0

#5
drenton

drenton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I upgraded those programs. The LCJ is a client for my work, should be safe.

Unfortunately I need to leave until Tuesday so I'll check back then, I certainly appreciate all your help.

Here's the WinPfind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/20/2005 12:58:44 PM 16129279 C:\WINDOWS\lpt$vpn.905
qoologic 10/20/2005 12:58:44 PM 16129279 C:\WINDOWS\lpt$vpn.905
SAHAgent 10/20/2005 12:58:44 PM 16129279 C:\WINDOWS\lpt$vpn.905
UPX! 5/3/2005 10:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 3:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/20/2005 12:58:44 PM 16129279 C:\WINDOWS\VPTNFILE.905
qoologic 10/20/2005 12:58:44 PM 16129279 C:\WINDOWS\VPTNFILE.905
SAHAgent 10/20/2005 12:58:44 PM 16129279 C:\WINDOWS\VPTNFILE.905
UPX! 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 5:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/23/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/29/2005 12:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 10/2/2005 6:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/2/2005 6:40:46 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
PTech 11/18/1997 7:34:00 AM 11113 C:\WINDOWS\SYSTEM32\SNWVALID.HLP
UPX! 8/18/2003 8:11:50 PM 21357 C:\WINDOWS\SYSTEM32\UninstXviDDec.exe
winsync 8/23/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/10/2005 8:26:14 AM S 2048 C:\WINDOWS\bootstat.dat
11/10/2005 8:21:32 AM H 57 C:\WINDOWS\pqJrb
11/10/2005 7:45:10 AM H 54156 C:\WINDOWS\QTFont.qfn
10/4/2005 7:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/10/2005 8:26:06 AM H 8192 C:\WINDOWS\system32\config\default.LOG
11/10/2005 8:26:28 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/10/2005 8:26:16 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
11/10/2005 8:26:30 AM H 65536 C:\WINDOWS\system32\config\software.LOG
11/10/2005 8:26:24 AM H 1044480 C:\WINDOWS\system32\config\system.LOG
10/30/2005 5:08:18 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
10/26/2005 6:45:44 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\1a717da3-554d-4d93-ab71-34da1e1b2203
10/26/2005 6:45:44 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
10/8/2005 9:54:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\776d76c2-cd31-40e6-9abf-e0b44eca787c
10/8/2005 9:54:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
11/10/2005 8:24:54 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
iAnywhere Solutions, Inc. 3/17/2005 1:35:20 PM 400640 C:\WINDOWS\SYSTEM32\agcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 3/4/2005 2:36:44 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/18/2003 4:40:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
6/23/2004 9:24:52 PM 1711 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
6/16/2005 6:20:32 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
6/16/2005 3:46:30 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
11/9/2005 6:10:12 AM 2355 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
9/8/2005 7:03:32 PM 1653 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\One-VA VPN Client.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/18/2003 11:25:36 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
6/16/2005 3:59:16 PM 761 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
7/18/2003 4:40:28 PM HS 84 C:\Documents and Settings\Douglas Renton\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
7/18/2003 11:25:36 AM HS 62 C:\Documents and Settings\Douglas Renton\Application Data\desktop.ini
10/22/2005 10:43:24 AM 40344 C:\Documents and Settings\Douglas Renton\Application Data\GDIPFONTCACHEV1.DAT
10/10/2005 8:46:28 PM 83 C:\Documents and Settings\Douglas Renton\Application Data\sversion.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ImageConverter
{B27C1C78-310B-4229-B090-EE6BA4D18DB6} = C:\Program Files\Sony\Image Converter\CtxMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\yEnc32
{8CDA2F05-B2BA-4AC7-B731-51E9E6B006E1} = C:\Program Files\eSite Media\yEnc32\yEnc32Shell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ImageConverter
{B27C1C78-310B-4229-B090-EE6BA4D18DB6} = C:\Program Files\Sony\Image Converter\CtxMenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}
IeCatch2 Class = C:\PROGRA~1\FlashGet\jccatch.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} = FlashGet Bar : C:\PROGRA~1\FlashGet\fgiebar.dll
{81F4066B-F330-4872-8094-3E9FBCCEC8C1} = &RepliGo : C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2887F316-8C6C-47ae-A462-D2C9739D2C3D}
MenuText = CheckIt &86 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}
ButtonText = FlashGet : C:\PROGRA~1\FlashGet\flashget.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{81F4066B-F330-4872-8094-3E9FBCCEC8C1} = &RepliGo : C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PowerBar
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
InCDsrv 2
LexBceS 2
Ati HotKey Poller 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk
backup C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\AcroTray.exe
item Acrobat Assistant
backup C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\AcroTray.exe
item Acrobat Assistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CheckIt 86.lnk
backup C:\WINDOWS\pss\CheckIt 86.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\CheckIt\86\CHECKI~1.EXE
item CheckIt 86
backup C:\WINDOWS\pss\CheckIt 86.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\CheckIt\86\CHECKI~1.EXE
item CheckIt 86

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorrectConnect.lnk
backup C:\WINDOWS\pss\CorrectConnect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\CConnect\CConnect.exe
item CorrectConnect
backup C:\WINDOWS\pss\CorrectConnect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\CConnect\CConnect.exe
item CorrectConnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GiftzClub GiftzStick Detector.lnk
backup C:\WINDOWS\pss\GiftzClub GiftzStick Detector.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\GIFTZC~1\uploader.exe
item GiftzClub GiftzStick Detector
backup C:\WINDOWS\pss\GiftzClub GiftzStick Detector.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\GIFTZC~1\uploader.exe
item GiftzClub GiftzStick Detector

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Douglas Renton^Start Menu^Programs^Startup^HotSync Manager.lnk
backup C:\WINDOWS\pss\HotSync Manager.lnkStartup
location Startup
command C:\PROGRA~1\HANDSP~1\HOTSYNC.EXE
item HotSync Manager
backup C:\WINDOWS\pss\HotSync Manager.lnkStartup
location Startup
command C:\PROGRA~1\HANDSP~1\HOTSYNC.EXE
item HotSync Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Douglas Renton^Start Menu^Programs^Startup^Infotriever.lnk
path C:\Documents and Settings\Douglas Renton\Start Menu\Programs\Startup\Infotriever.lnk
backup C:\WINDOWS\pss\Infotriever.lnkStartup
location Startup
command C:\PROGRA~1\INFOTR~1\Agent\INFOCL~1.EXE -startup
item Infotriever
path C:\Documents and Settings\Douglas Renton\Start Menu\Programs\Startup\Infotriever.lnk
backup C:\WINDOWS\pss\Infotriever.lnkStartup
location Startup
command C:\PROGRA~1\INFOTR~1\Agent\INFOCL~1.EXE -startup
item Infotriever

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Douglas Renton^Start Menu^Programs^Startup^Mobipocket Web Companion.lnk
backup C:\WINDOWS\pss\Mobipocket Web Companion.lnkStartup
location Startup
command C:\PROGRA~1\MOBIPO~1.COM\MOBIPO~1\webcomp.exe -m
item Mobipocket Web Companion
backup C:\WINDOWS\pss\Mobipocket Web Companion.lnkStartup
location Startup
command C:\PROGRA~1\MOBIPO~1.COM\MOBIPO~1\webcomp.exe -m
item Mobipocket Web Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Douglas Renton^Start Menu^Programs^Startup^OpenOffice.org 1.1.5.lnk
path C:\Documents and Settings\Douglas Renton\Start Menu\Programs\Startup\OpenOffice.org 1.1.5.lnk
backup C:\WINDOWS\pss\OpenOffice.org 1.1.5.lnkStartup
location Startup
command C:\PROGRA~1\OPENOF~1.5\program\QUICKS~1.EXE
item OpenOffice.org 1.1.5
path C:\Documents and Settings\Douglas Renton\Start Menu\Programs\Startup\OpenOffice.org 1.1.5.lnk
backup C:\WINDOWS\pss\OpenOffice.org 1.1.5.lnkStartup
location Startup
command C:\PROGRA~1\OPENOF~1.5\program\QUICKS~1.EXE
item OpenOffice.org 1.1.5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Douglas Renton^Start Menu^Programs^Startup^Skyscape smARTupdate.lnk
backup C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup
location Startup
item Skyscape smARTupdate
backup C:\WINDOWS\pss\Skyscape smARTupdate.lnkStartup
location Startup
item Skyscape smARTupdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AnyDVD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AnyDVD
hkey HKLM
command C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AnyDVD
hkey HKLM
command C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BJCFD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CFD
hkey HKLM
command C:\Program Files\BroadJump\Client Foundation\CFD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CFD
hkey HKLM
command C:\Program Files\BroadJump\Client Foundation\CFD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CloneCDTray
hkey HKLM
command "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CloneCDTray
hkey HKLM
command "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\InCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Ahead\InCD\InCD.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item InCD
hkey HKLM
command C:\Program Files\Ahead\InCD\InCD.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Program Files\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LXSUPMON
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LXSUPMON
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item LXSUPMON
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\McAfeeUpdaterUI
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdaterUI
hkey HKLM
command "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdaterUI
hkey HKLM
command "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MsnMsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NeroCheck
hkey HKLM
command C:\WINDOWS\system32\NeroCheck.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PowerBar
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PowerBar
hkey HKCU
command "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PowerBar
hkey HKCU
command "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RepliGo Assistant
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RepliGoMon
hkey HKLM
command "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RepliGoMon
hkey HKLM
command "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tgcmd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tgcmd
hkey HKLM
command "C:\Program Files\Support.com\bin\tgcmd.exe" /server
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tgcmd
hkey HKLM
command "C:\Program Files\Support.com\bin\tgcmd.exe" /server
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vptray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VPTray
hkey HKLM
command C:\PROGRA~1\SYMANT~1\VPTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VPTray
hkey HKLM
command C:\PROGRA~1\SYMANT~1\VPTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 2
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/10/2005 8:38:45 AM
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Douglas

No problem with the out of town, thanks for telling me.

There was little to glean from the WinPfind scan result. The only file that I could not identify was this:
C:\WINDOWS\pqJrb

I have no idea what it is, so I'd like you to submit it for appraisal. Please visit Kaspersky for a file scan. After submitting, please wait for the result and post it in your reply.

Thanks.
  • 0

#7
drenton

drenton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the results, I continue to have numerous pop-ups:

Kaspersky File Scanner

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: pqJrb

pqJrb - OK


Statistics:
Known viruses: 159856 Updated: 15-11-2005
File size (Kb): 1 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0


Thanks!
  • 0

#8
drenton

drenton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Don't know if this is related, but a small error window popped up with the following:

Title: Micorsoft Visual C++ Runtime Library

Runtime error!

Program: C:\PROGRAM FILES\BRODUCER\CIARSVP.EXE

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.


A search of my computer finds a prefetch file CIARSVP.EXE-34Eg5540.pf, which I know I have deleted in the past (I deleted all the prefetch files)
No results searching google for this file name.
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Douglas

Let me see if my nose takes me in the right direction. Very often if you can't see it, look for a root kit.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:AproposFix
Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#10
drenton

drenton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Aproposfix log:
Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Douglas Renton\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CqiU4AyshS6m]
@="QViSTYeCDDCDDED4MTGMVxICDDCSFDmYdTemiD4A45u.JIDt3y7u34Dy14JMJs:E4A4"
"Device"="\\\\.\\s6D06Fh2"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\ips363cn.sys"
"DriverName"="AFSCDIO"
"HideUninstallerName"="C:\\Program Files\\Broducer\\isrc3212.exe"
"HDll"="C:\\WINDOWS\\system32\\trkmgr10.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.LAV"
"InstallationId"="{Xc18ec1f-7d0c-3931-5723-ce46addc6eb0}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Broducer\\ciarsvp.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\cremrt.exe"
"Version"="2.0.106"
"LastAURestoreMsgTS"="2005:11:10-14:21:31:892"

************

Removing hidden service:
Service AFSCDIO removed.

Removing hidden folder:
Deletion of folder Broducer succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\ips363cn.sys succeeded!
Deletion of file C:\WINDOWS\system32\cremrt.exe succeeded!
Deletion of file C:\WINDOWS\system32\trkmgr10.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CqiU4AyshS6m]
[-HKEY_LOCAL_MACHINE\Software\CqiU4AyshS6m]

Done!

Finished!


HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:47:10 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\One-VA VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omaha.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://omaha.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &RepliGo - {81F4066B-F330-4872-8094-3E9FBCCEC8C1} - C:\Program Files\Cerience\RepliGo\RepliGoIEBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: One-VA VPN Client.lnk = C:\Program Files\One-VA VPN Client\vpngui.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {479B29EF-9A2C-11D0-B696-00A0C903487A} - file://C:\LCJ5INST\wwwroot\IDXLCJ\lcj\Lastword_Client_for_Java-Standalone.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.co...aploader_v5.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\One-VA VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


No pop-ups for the short time I've had IE open!
  • 0

#11
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :)

I am very confident that we got it. That rootkit is pure stealth the only clue was BRODUCER. Normally it comes from SurfAccuracy, but there was no sign of that, so we must assume that these malware writers have changed their modus operandi and moved on.

I wish you happy safe surfing Douglas, are you a Doctor?

Edited by Crustyoldbloke, 16 November 2005 - 05:36 AM.

  • 0

#12
drenton

drenton

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for all the help. NO POP-UPS! :tazz:

I am a doctor, what gave it away?
  • 0

#13
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
You are very welcome to the help.

Some of the programmes on your PC were unusual and unknown to me, when I was researching them. They indicated someone with a keen interest in the well being of people. It seemed likely that you were either a MD or a hypochondriac :tazz:

I will leave this thread open for a few days in case of misfortune.
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP