Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help me, I can't remove this virus. [RESOLVED]

Started by brocksolid17 , Nov 22 2005 02:07 AM

  • This topic is locked This topic is locked

#1
brocksolid17
Posted 22 November 2005 - 02:07 AM

brocksolid17

    New Member

  • Member
  • Pip
  • 9 posts
Hi everyone,

Not too long ago, I got this virus called Trojan Vundo. My Norton AntiVirus program detected it and I was unable to remove no matter what I did. I tried running a scan but Norton was unable to remove the virus. I downloaded numerous free anti virus softwares and none were able to get rid of the trojan. I also tried Webroot Spysweeper which has removed the virus once before but it came back and I could not use webroot because it expired. So then I heared about Hijackthis and I ran a scan and saved the log of the scan. I hope that someone can help me with this issue because I'm very frustrated :tazz: .
Help will be greatly appreciated.
Thanks in advance.

And here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:14 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Admir Garic\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geeda.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Msn Messenger Service] msnmsg.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxAjSzNn] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxAjSzNn
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - HKCU\..\RunServices: [Msn Messenger Service] msnmsg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05CEB4C6-B4A1-468A-AFFD-8829026BA359}: NameServer = 206.13.31.12 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{05CEB4C6-B4A1-468A-AFFD-8829026BA359}: NameServer = 206.13.31.12 206.13.28.12
O20 - AppInit_DLLs: C:\WINDOWS\System32\QUERY251p.dll
O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\p48q0el5ehq.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
OwNt
Posted 22 November 2005 - 02:18 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, brocksolid17.

Please print these instructions out or save them in notepad for use in safe mode.
  • Please open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....



  • At this point press enter one time.


  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:



  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\geeda.dll

  • Press Enter to continue with the fix.


  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\adeeg.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geeda.dll
    O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Edited by OwNt, 23 November 2005 - 11:51 PM.

  • 0

#3
brocksolid17
Posted 22 November 2005 - 04:37 PM

brocksolid17

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi there again,

I did everything you just posted above but nothing helped, I am really frustrated :tazz: .... anyhow here are the logs.

The Latest HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:21:23 PM, on 11/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\Admir Garic\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geeda.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05CEB4C6-B4A1-468A-AFFD-8829026BA359}: NameServer = 206.13.31.12 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{05CEB4C6-B4A1-468A-AFFD-8829026BA359}: NameServer = 206.13.31.12 206.13.28.12
O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Here is the VundoFix.txt file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:/WINDOWS/System32/geeda.dll

The second filepath entered was C/WINDOWS/System32/adeeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 140 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 760 'explorer.exe'
Killing PID 760 'explorer.exe'


Killing PID 216 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:/WINDOWS/System32/geeda.dll.
C/WINDOWS/System32/adeeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------





And finally, here are the ActiveScan Results:


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\System32\geeda.dll
Adware:adware/lop Not disinfected C:\Documents and Settings\Admir Garic\Favorites\ Antivirus.url
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/wintools Not disinfected Windows Registry
Virus:Trj/Conho.B Not disinfected C:\asdf.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Admir Garic\Desktop\hijackthis\backups\backup-20051122-132753-488.dll
Adware:Adware/InstDollars Not disinfected C:\Program Files\Windows Media Player\mprocessor.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\geeda.dll
  • 0

#4
OwNt
Posted 22 November 2005 - 07:55 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, brocksolid17.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Please also download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Then download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Reboot your computer into Safe Mode by tapping F8 as your computer starts up.

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

1) Now run Killbox.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\asdf.exe
C:\WINDOWS\System32\geeda.dll
C:\Documents and Settings\Admir Garic\Favorites\ Antivirus.url
C:\WINDOWS\msbb.exe.temp
C:\Documents and Settings\Admir Garic\Desktop\hijackthis\backups\backup-20051122-132753-488.dll
C:\Program Files\Windows Media Player\mprocessor.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

So I need 3 logs in total. The WinPFind log, the SpySweeper log, and a new Hijackthis log.
  • 0

#5
brocksolid17
Posted 23 November 2005 - 05:32 PM

brocksolid17

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi there again.

I still couldn't remove the virus. I tried getting Webroot Spysweeper but I could not download it because I already used it once before and it expired long ago so I only have the HiJackthis log and the WinPFind Log.
Also, when I ran kill box I would get a message saying "PendingFilenameOperation Registry Data has been removed by external process" so I downloaded the missingfilesetup and installed the file, ran killbox again and I got the same message. Anyhow, here are the two logs....

The Latest HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:16:47 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Admir Garic\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geeda.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Here is the WinPFind Log (it is very long) :

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 11/21/2005 9:43:00 PM 12243390 C:\AVG7QT.DAT
urllogic 11/21/2005 9:43:00 PM 12243390 C:\AVG7QT.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 10/16/2004 12:54:10 AM 200923 C:\WINDOWS\Cxaenzxv.rqs
aspack 10/16/2004 12:53:58 AM 1343999 C:\WINDOWS\Givuqgsawub.obv
PTech 10/16/2004 12:53:58 AM 1343999 C:\WINDOWS\Givuqgsawub.obv
PEC2 10/8/2004 8:56:28 PM 184535 C:\WINDOWS\Hbbadngj.jrw
PTech 10/16/2004 12:54:06 AM 1626626 C:\WINDOWS\Hnydwfm.swa
PEC2 10/8/2004 8:56:30 PM 193869 C:\WINDOWS\Luqbklng.oec
PTech 10/11/2004 6:56:24 PM 483851 C:\WINDOWS\Ypcyeyqvbj.klb

Checking %System% folder...
PEC2 8/29/2002 2:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 10/26/2004 2:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 2:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 11/24/2001 9:31:48 AM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 11/24/2001 9:28:14 AM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PTech 8/29/2005 12:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 11/2/2005 10:49:02 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 10:49:02 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 2:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
UPX! 11/21/2005 9:39:44 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 11/21/2005 9:39:44 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 11/21/2005 9:39:44 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 11/21/2005 9:39:44 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/23/2005 7:09:26 AM S 2048 C:\WINDOWS\BOOTSTAT.DAT
11/18/2005 12:41:42 PM H 54156 C:\WINDOWS\QTFont.qfn
10/8/2005 1:48:28 AM HS 338054 C:\WINDOWS\Help\SBSI\evawrba.bak2
10/13/2005 3:04:42 PM HS 345272 C:\WINDOWS\Help\SBSI\evawrba.ini
11/20/2005 3:36:56 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_60.cab
11/23/2005 7:17:12 AM HS 1301 C:\WINDOWS\SYSTEM32\adeeg.ini
10/24/2005 10:21:00 PM HS 4256 C:\WINDOWS\SYSTEM32\dfhkj.ini
10/14/2005 2:53:28 PM HS 347266 C:\WINDOWS\SYSTEM32\pstwa.bak2
10/17/2005 8:24:04 PM HS 352961 C:\WINDOWS\SYSTEM32\pstwa.ini
10/19/2005 4:41:56 PM HS 352802 C:\WINDOWS\SYSTEM32\pstwa.ini2
10/17/2005 8:24:10 PM HS 352691 C:\WINDOWS\SYSTEM32\pstwa.tmp
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 5:17:40 PM S 21737 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/23/2005 7:09:20 AM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
11/23/2005 7:09:44 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
11/23/2005 7:09:28 AM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
11/23/2005 7:11:20 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
11/23/2005 7:09:58 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
11/20/2005 8:49:56 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
11/22/2005 8:00:02 PM H 242 C:\WINDOWS\Tasks\AE00EC4A91879D3A.job
11/23/2005 7:08:50 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
5/25/2004 8:06:58 AM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
5/10/2001 9:00:00 PM 183808 C:\WINDOWS\SYSTEM32\BDEADMIN.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 5/10/2004 9:46:10 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 2:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 2:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 3/11/2003 1:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Apple Computer, Inc. 4/4/1996 2:11:00 AM R 340480 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 7/27/2003 7:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 2:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/11/2005 1:34:32 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 6:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 5:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
4/3/2005 7:33:08 PM 771 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 6:00:00 AM HS 84 C:\Documents and Settings\Admir Garic\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
4/11/2005 1:31:18 PM 1020 C:\Documents and Settings\Admir Garic\Application Data\AdobeDLM.log
9/3/2002 5:50:46 AM HS 62 C:\Documents and Settings\Admir Garic\Application Data\DESKTOP.INI
4/11/2005 1:31:16 PM 0 C:\Documents and Settings\Admir Garic\Application Data\dm.ini
5/18/2004 10:00:54 PM 12358 C:\Documents and Settings\Admir Garic\Application Data\PFP110JCM.{PB
5/18/2004 10:00:56 PM 61678 C:\Documents and Settings\Admir Garic\Application Data\PFP110JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{6D155557-FA4F-4CCC-B4C4-B1454EDEFA41} =
{73D0757F-895A-4B4B-A2D5-B1CDD923F0D9} =
{6CC2293A-92D9-4DB6-9299-1AD9A5754577} = C:\WINDOWS\system32\WUDMLOG.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A}
MSEvents Object = C:\WINDOWS\System32\geeda.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Yahoo! Services :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
URLLSTCK.exe C:\Program Files\Norton Internet Security\UrlLstCk.exe
StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Steam
Malware Sweeper C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ASFERROR878m.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ASFERROR878m
hkey HKCU
command "C:\WINDOWS\System32\ASFERROR878m.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ASFERROR878m
hkey HKCU
command "C:\WINDOWS\System32\ASFERROR878m.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AutoUpdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AutoUpdate
hkey HKLM
command "C:\Program Files\AutoUpdate\AutoUpdate.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AutoUpdate
hkey HKLM
command "C:\Program Files\AutoUpdate\AutoUpdate.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Bakra
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IEHost
hkey HKLM
command C:\WINDOWS\System32\IEHost.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IEHost
hkey HKLM
command C:\WINDOWS\System32\IEHost.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BullsEye Network
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bargains
hkey HKLM
command C:\Program Files\BullsEye Network\bin\bargains.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bargains
hkey HKLM
command C:\Program Files\BullsEye Network\bin\bargains.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\bxxs5
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bxxs5
hkey HKLM
command RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bxxs5
hkey HKLM
command RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CATSRVUT608p.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CATSRVUT608p
hkey HKCU
command "C:\WINDOWS\System32\CATSRVUT608p.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CATSRVUT608p
hkey HKCU
command "C:\WINDOWS\System32\CATSRVUT608p.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ClockSync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Sync
hkey HKCU
command C:\PROGRA~1\CLOCKS~1\Sync.exe /q
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Sync
hkey HKCU
command C:\PROGRA~1\CLOCKS~1\Sync.exe /q
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ClrSchLoader
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Loader
hkey HKLM
command C:\Program Files\ClearSearch\Loader.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Loader
hkey HKLM
command C:\Program Files\ClearSearch\Loader.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\COLBACT785w.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item COLBACT785w
hkey HKCU
command "C:\WINDOWS\System32\COLBACT785w.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item COLBACT785w
hkey HKCU
command "C:\WINDOWS\System32\COLBACT785w.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CSSEQCHK298r.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CSSEQCHK298r
hkey HKCU
command "C:\WINDOWS\System32\CSSEQCHK298r.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CSSEQCHK298r
hkey HKCU
command "C:\WINDOWS\System32\CSSEQCHK298r.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\d3d9528g.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item d3d9528g
hkey HKCU
command "C:\WINDOWS\System32\d3d9528g.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item d3d9528g
hkey HKCU
command "C:\WINDOWS\System32\d3d9528g.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\D3DIM596j.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item D3DIM596j
hkey HKCU
command "C:\WINDOWS\System32\D3DIM596j.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item D3DIM596j
hkey HKCU
command "C:\WINDOWS\System32\D3DIM596j.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\D3DIM678u.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item D3DIM678u
hkey HKCU
command "C:\WINDOWS\System32\D3DIM678u.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item D3DIM678u
hkey HKCU
command "C:\WINDOWS\System32\D3DIM678u.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DESKPERF191p.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DESKPERF191p
hkey HKCU
command "C:\WINDOWS\System32\DESKPERF191p.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DESKPERF191p
hkey HKCU
command "C:\WINDOWS\System32\DESKPERF191p.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DISKCOPY947e.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DISKCOPY947e
hkey HKCU
command "C:\WINDOWS\System32\DISKCOPY947e.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DISKCOPY947e
hkey HKCU
command "C:\WINDOWS\System32\DISKCOPY947e.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dmcompos725d.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dmcompos725d
hkey HKCU
command "C:\WINDOWS\System32\dmcompos725d.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dmcompos725d
hkey HKCU
command "C:\WINDOWS\System32\dmcompos725d.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DMDSKMGR853i.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DMDSKMGR853i
hkey HKCU
command "C:\WINDOWS\System32\DMDSKMGR853i.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DMDSKMGR853i
hkey HKCU
command "C:\WINDOWS\System32\DMDSKMGR853i.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DnkCBUq
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DnkCBUq
hkey HKLM
command C:\windows\system32\DnkCBUq.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DnkCBUq
hkey HKLM
command C:\windows\system32\DnkCBUq.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DownloadWare
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dw
hkey HKLM
command "C:\Program Files\DownloadWare\dw.exe" /H
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dw
hkey HKLM
command "C:\Program Files\DownloadWare\dw.exe" /H
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DPCDLL420h.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DPCDLL420h
hkey HKCU
command "C:\WINDOWS\System32\DPCDLL420h.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DPCDLL420h
hkey HKCU
command "C:\WINDOWS\System32\DPCDLL420h.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DRPROV536c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DRPROV536c
hkey HKCU
command "C:\WINDOWS\System32\DRPROV536c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DRPROV536c
hkey HKCU
command "C:\WINDOWS\System32\DRPROV536c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ds16gt824i.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ds16gt824i
hkey HKCU
command "C:\WINDOWS\System32\ds16gt824i.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ds16gt824i
hkey HKCU
command "C:\WINDOWS\System32\ds16gt824i.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDSentry
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSentry
hkey HKLM
command C:\WINDOWS\System32\DSentry.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSentry
hkey HKLM
command C:\WINDOWS\System32\DSentry.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dvx
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wsxsvc
hkey HKLM
command C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wsxsvc
hkey HKLM
command C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EbatesMoeMoneyMaker
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EbatesMoeMoneyMaker"
hkey HKLM
command javaw -cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EbatesMoeMoneyMaker"
hkey HKLM
command javaw -cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eZmmod
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmod
hkey HKCU
command C:\PROGRA~1\ezula\mmod.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmod
hkey HKCU
command C:\PROGRA~1\ezula\mmod.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\fldrclnr926c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fldrclnr926c
hkey HKCU
command "C:\WINDOWS\System32\fldrclnr926c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item fldrclnr926c
hkey HKCU
command "C:\WINDOWS\System32\fldrclnr926c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FONTEXT1029f.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FONTEXT1029f
hkey HKCU
command "C:\WINDOWS\System32\FONTEXT1029f.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FONTEXT1029f
hkey HKCU
command "C:\WINDOWS\System32\FONTEXT1029f.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FTSRCH933s.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FTSRCH933s
hkey HKCU
command "C:\WINDOWS\System32\FTSRCH933s.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FTSRCH933s
hkey HKCU
command "C:\WINDOWS\System32\FTSRCH933s.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\FvqQhNrnb
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FvqQhNrnb
hkey HKLM
command c:\documents and settings\admir garic\local settings\temp\FvqQhNrnb.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item FvqQhNrnb
hkey HKLM
command c:\documents and settings\admir garic\local settings\temp\FvqQhNrnb.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gdiplus219d.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gdiplus219d
hkey HKCU
command "C:\WINDOWS\System32\gdiplus219d.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gdiplus219d
hkey HKCU
command "C:\WINDOWS\System32\gdiplus219d.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HNETMON880u.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HNETMON880u
hkey HKCU
command "C:\WINDOWS\System32\HNETMON880u.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HNETMON880u
hkey HKCU
command "C:\WINDOWS\System32\HNETMON880u.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hotbar
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Hbinst
hkey HKLM
command C:\Program Files\Hotbar\bin\Hbinst.exe /Upgrade
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Hbinst
hkey HKLM
command C:\Program Files\Hotbar\bin\Hbinst.exe /Upgrade
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\houqRVe4U
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item chkwsx
hkey HKCU
command chkwsx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item chkwsx
hkey HKCU
command chkwsx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HTUI542c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HTUI542c
hkey HKCU
command "C:\WINDOWS\System32\HTUI542c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HTUI542c
hkey HKCU
command "C:\WINDOWS\System32\HTUI542c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IASRECST805s.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IASRECST805s
hkey HKCU
command "C:\WINDOWS\System32\IASRECST805s.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IASRECST805s
hkey HKCU
command "C:\WINDOWS\System32\IASRECST805s.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ICMUI907d.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICMUI907d
hkey HKCU
command "C:\WINDOWS\System32\ICMUI907d.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ICMUI907d
hkey HKCU
command "C:\WINDOWS\System32\ICMUI907d.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IEDriver
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IEDriver
hkey HKLM
command C:\WINDOWS\System32\IEDriver\IEDriver.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IEDriver
hkey HKLM
command C:\WINDOWS\System32\IEDriver\IEDriver.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IFMON512l.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IFMON512l
hkey HKCU
command "C:\WINDOWS\System32\IFMON512l.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IFMON512l
hkey HKCU
command "C:\WINDOWS\System32\IFMON512l.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\INETPP938m.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item INETPP938m
hkey HKCU
command "C:\WINDOWS\System32\INETPP938m.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item INETPP938m
hkey HKCU
command "C:\WINDOWS\System32\INETPP938m.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPNATHLP359c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPNATHLP359c
hkey HKCU
command "C:\WINDOWS\System32\IPNATHLP359c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPNATHLP359c
hkey HKCU
command "C:\WINDOWS\System32\IPNATHLP359c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPXRIP714c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPXRIP714c
hkey HKCU
command "C:\WINDOWS\System32\IPXRIP714c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPXRIP714c
hkey HKCU
command "C:\WINDOWS\System32\IPXRIP714c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IRCLASS840v.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IRCLASS840v
hkey HKCU
command "C:\WINDOWS\System32\IRCLASS840v.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IRCLASS840v
hkey HKCU
command "C:\WINDOWS\System32\IRCLASS840v.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISRDBG32590r.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISRDBG32590r
hkey HKCU
command "C:\WINDOWS\System32\ISRDBG32590r.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISRDBG32590r
hkey HKCU
command "C:\WINDOWS\System32\ISRDBG32590r.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBDCA619d.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDCA619d
hkey HKCU
command "C:\WINDOWS\System32\KBDCA619d.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDCA619d
hkey HKCU
command "C:\WINDOWS\System32\KBDCA619d.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBDLT1324t.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDLT1324t
hkey HKCU
command "C:\WINDOWS\System32\KBDLT1324t.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDLT1324t
hkey HKCU
command "C:\WINDOWS\System32\KBDLT1324t.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBDNE778c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDNE778c
hkey HKCU
command "C:\WINDOWS\System32\KBDNE778c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDNE778c
hkey HKCU
command "C:\WINDOWS\System32\KBDNE778c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBDSG936c.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDSG936c
hkey HKCU
command "C:\WINDOWS\System32\KBDSG936c.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDSG936c
hkey HKCU
command "C:\WINDOWS\System32\KBDSG936c.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBDUK150n.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDUK150n
hkey HKCU
command "C:\WINDOWS\System32\KBDUK150n.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDUK150n
hkey HKCU
command "C:\WINDOWS\System32\KBDUK150n.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBDYCL706l.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDYCL706l
hkey HKCU
command "C:\WINDOWS\System32\KBDYCL706l.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item KBDYCL706l
hkey HKCU
command "C:\WINDOWS\System32\KBDYCL706l.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft&
  • 0

#6
OwNt
Posted 23 November 2005 - 11:51 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, brocksolid17.

These instructions will be very similiar to the last ones.

Please print these instructions out.
  • Please open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....



  • At this point press enter one time.


  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:



  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\geeda.dll

  • Press Enter to continue with the fix.


  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\adeeg.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geeda.dll
    O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#7
brocksolid17
Posted 25 November 2005 - 07:36 PM

brocksolid17

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Virus still there =/

Here is the latest HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:06 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Admir Garic\Desktop\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\geeda.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




Here is the latest VundoFix Log:
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\geeda.dll

The second filepath entered was C:\WINDOWS\System\adeeg.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 140 'smss.exe'
Error 0x6 : The handle is invalid.


Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'


Killing PID 216 'winlogon.exe'
Error 0x6 : The handle is invalid.

--------------------------------------------------------------------------------------

Could not delete C:\WINDOWS\System32\geeda.dll.
C:\WINDOWS\System\adeeg.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------




And finally, here are the latest ActiveScan results:

Incident Status Location

Adware:adware/lop Not Disinfected C:\Documents and Settings\Admir Garic\Favorites\ Computers.url
Adware:adware/wintools Not Disinfected Windows Registry
Virus:Trj/Conho.B Not Disinfected C:\!KillBox\asdf.exe
Adware:Adware/InstDollars Not Disinfected C:\!KillBox\mprocessor.exe
  • 0

#8
OwNt
Posted 26 November 2005 - 01:31 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, brocksolid17.

Is this an administrator acount or a limited one? One of the problems your having seems to point to a non administrative account.
  • 0

#9
brocksolid17
Posted 28 November 2005 - 12:16 AM

brocksolid17

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I finally resolved this issue. I also tried dowloading the panda activescan free trial version and it got rid of the virus.
Thanks a lot for your time and for helping me.
Your help is much appreciated.

Btw: It is just a regular account, I'm not an admin or anything. Regular member.
  • 0

#10
OwNt
Posted 28 November 2005 - 12:26 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, brocksolid17.

May I see a fresh Hijackthis log to be sure all traces are gone?
  • 0

#11
brocksolid17
Posted 29 November 2005 - 08:01 PM

brocksolid17

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi OwNt,

Here is the latest HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:00:26 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Admir Garic\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\Malware Sweeper\MalSwep.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05CEB4C6-B4A1-468A-AFFD-8829026BA359}: NameServer = 206.13.31.12 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{05CEB4C6-B4A1-468A-AFFD-8829026BA359}: NameServer = 206.13.31.12 206.13.28.12
O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
OwNt
Posted 29 November 2005 - 09:34 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, brocksolid17.

Please open Hijackthis, scan, and place a checkmark by the following entry:

O20 - Winlogon Notify: geeda - C:\WINDOWS\System32\geeda.dll (file missing)

Close all open windows/browsers and click Fix Checked.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • 0

#13
OwNt
Posted 13 December 2005 - 09:14 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP