Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

It started w/ SpySheriff - now can't find infection, but its still

Started by CarrieDH , Dec 28 2005 11:41 PM

  • Please log in to reply

#16
CarrieDH
Posted 02 January 2006 - 02:03 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I am wondering about this one:

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

When all my spam goes out, my screen fills up with little pop-ups (Symantec Proxy Server) with the message "Your mail could not be sent because..." and then a variety of reasons (no subject, or user's account is closed... etc etc).
  • 0

Advertisements

#17
Metallica
Posted 02 January 2006 - 02:15 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
A little cleanup:

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O23 - Service: PMSOBSQRO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\PMSOBSQRO.exe

O23 - Service: TADMUDYNUUXNR - Sysinternals - www.sysinternals.com - C:\DOCUME~1\CARRIE~1\LOCALS~1\Temp\TADMUDYNUUXNR.exe

ccproxy.exe is a part of the Symantec Internet Security Suite. This process allows you to setup basic Internet sharing, which allows you to share your Internet connection across your home or office.

Looking at your log I think it's safe to do the online scan.

Let me know the results.

Regards,
  • 0

#18
CarrieDH
Posted 02 January 2006 - 06:18 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
So, I did the online scan at Kapersky, and at this point I am very depressed that it came up absolutely clean. Here is the log:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 02, 2006 15:54:31
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/01/2006
Kaspersky Anti-Virus database records: 158470
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 343341
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 11767 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

and I don't know if this will help or not, but l think I mentioned that if I run msconfig, and uncheck all my startup stuff, then I don't seem to send out spam when I reboot. Here is everything I unchecked, do you see anything out of the ordinary? (or is this totally pointless?)

Startup Item: Command:
ctfmon C:\Windows\system32\ctfmon.exe
apdproxy C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
ashDisp C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ccApp C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ElbyCheck C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe /L ElbyCDFL
ctfmon C:\Windows\system32\ctfmon.exe
CTSysVol C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe/r
tfswctrl C:\Windows\system32\d;a\tfswctrl.exe
DVDLauncher C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
msmsgs C:\Program Files\Messenger\msmsgs.exe
NvCpl RUNDLL32.exe C:\Windows\System32\MvCpl.dll, NvStartup
Rundll32P17 Rundll32 P17.dll.P17Helper
PCMService C:\Program Files\Dell\Media Experience\PCMService.exe
qttask C:\Program Files\QuickTime\qttask.exe -atboottime
ReminderApp C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
jusched C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
SNDMon C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
THGuard C:\Program Files\TrojanHunter 4.2\THGuard.exe
realsched C:\Program Files\Common Files\Real\Update_OB\realsched.exe /r
sgtray C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r
UpdReg C:\Windows\UpdReg.EXE
UrlLstCk C:\Program Files\Norton Internet Security\UrlLstCk.exe
gnotify C:\Program Files\Google\Gmail Notifier\gnotify.exe
Acrobat Assistant C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe
Adobe Reader Speed Launch C:\PROGRA~1\Adobe\ACROBA~3.0\Reader\READER~1.exe
Digital Line Detect C:\PROGRA~1\DIGITA~1\DLG.exe
hp psc 1000 series C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
hpoddt01.exe C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe


Or any other ideas? Thank you so much for your time and help... Carrie
  • 0

#19
CarrieDH
Posted 02 January 2006 - 07:21 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
AND THEN.. I ran Microsoft Antispyware, and came up with the following infection when I did a full-system scan:

Small.136 Trojan Downloader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll DllName C:\Windows\system32\msctl32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll Startup Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll Asynchronous 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll Impersonate 0

which it said it cleaned (deleted).

Is this related to my spam problem? Thanks again for all your help

Carrie
  • 0

#20
Metallica
Posted 03 January 2006 - 01:10 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yay. I think you found it. :tazz:

Look at this
http://castlecops.com/o20list-145.html

I should have recognized it immediately since I keep that list updated at CastleCops.

But now the 1000 $ question is:
why didn't that show up in your HijackThis log ?

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder)

This will show us if MSAS was indeed successfull.

Regards,
  • 0

#21
CarrieDH
Posted 03 January 2006 - 01:14 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
You know what, I actually found SpamTool.Win32.Mailbot when I scanned immediately when I became infected, and my Norton said it was deleted. (and I was so excited, since it seemed to match my symptoms) but then nothing stopped! So YAY! I will do the other things you said and get back to you (HOORAY for Microsoft Antispyware!!)

Carrie(Thank you so much for your help...!!!!)
  • 0

#22
Metallica
Posted 03 January 2006 - 01:37 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I feel so stupid I didn´t notice it in your first WinPFind log. :tazz:
  • 0

#23
CarrieDH
Posted 03 January 2006 - 01:52 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Here is the WinPFind text: (are cryptnet.dll, and crypt32.dll supposed to be there? They sound scary...)
and don't beat yourself up. The WinPFind log only has like 800 lines of text, or something :tazz: Carrie
Thanks!

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 3/8/2004 6:25:28 PM 180736 C:\WINDOWS\01April04.scr
aspack 3/1/2005 1:40:38 PM 180736 C:\WINDOWS\01April05.scr
aspack 6/22/2004 3:12:32 PM 180736 C:\WINDOWS\01August04.scr
aspack 6/22/2005 2:12:52 PM 180736 C:\WINDOWS\01August05.scr
aspack 11/2/2003 2:55:06 PM 180736 C:\WINDOWS\01December03.scr
aspack 10/12/2004 4:17:20 AM 180736 C:\WINDOWS\01December04.scr
aspack 10/7/2005 1:13:10 PM 187392 C:\WINDOWS\01December05.scr
aspack 6/26/2002 9:44:14 AM 180736 C:\WINDOWS\01February04.scr
aspack 1/6/2005 2:07:54 PM 180736 C:\WINDOWS\01February05.scr
aspack 12/2/2003 2:46:06 PM 180736 C:\WINDOWS\01January04.scr
aspack 11/19/2004 11:27:10 AM 180736 C:\WINDOWS\01January05.scr
aspack 6/10/2005 8:56:58 PM 180736 C:\WINDOWS\01July05.scr
aspack 4/29/2004 1:10:02 PM 180736 C:\WINDOWS\01June04.scr
aspack 4/27/2005 3:28:08 PM 180736 C:\WINDOWS\01June05.scr
aspack 1/29/2004 3:28:32 PM 180736 C:\WINDOWS\01March04.scr
aspack 1/21/2005 1:27:08 PM 180736 C:\WINDOWS\01March05.scr
aspack 4/13/2004 4:13:54 PM 180736 C:\WINDOWS\01May04.scr
aspack 3/21/2005 1:55:48 PM 180736 C:\WINDOWS\01May05.scr
aspack 10/1/2003 2:19:22 PM 180736 C:\WINDOWS\01November03.scr
aspack 11/21/2005 12:18:38 AM 180736 C:\WINDOWS\01November04.scr
aspack 9/10/2003 6:36:46 PM 180736 C:\WINDOWS\01October03.exe.scr
aspack 9/15/2004 11:35:26 AM 180736 C:\WINDOWS\01October04.scr
aspack 7/26/2004 11:37:50 AM 180736 C:\WINDOWS\01September04.scr
aspack 3/8/2004 6:25:58 PM 180736 C:\WINDOWS\02April04.scr
aspack 3/1/2005 1:41:16 PM 180736 C:\WINDOWS\02April05.scr
aspack 7/20/2004 1:24:48 AM 180736 C:\WINDOWS\02August04.scr
aspack 6/22/2005 2:15:00 PM 180736 C:\WINDOWS\02August05.scr
aspack 11/2/2003 2:56:22 PM 180736 C:\WINDOWS\02December03.scr
aspack 10/12/2004 4:17:50 AM 180736 C:\WINDOWS\02December04.scr
aspack 10/7/2005 12:46:28 PM 187392 C:\WINDOWS\02December05.scr
aspack 1/4/2004 8:46:14 PM 180736 C:\WINDOWS\02February04.scr
aspack 1/6/2005 2:08:44 PM 180736 C:\WINDOWS\02February05.scr
aspack 12/2/2003 2:37:58 PM 180736 C:\WINDOWS\02January04.scr
aspack 11/22/2004 2:42:06 PM 180736 C:\WINDOWS\02January05.scr
aspack 6/10/2005 8:56:22 PM 180736 C:\WINDOWS\02July05.scr
aspack 4/29/2004 1:13:08 PM 180736 C:\WINDOWS\02June04.scr
aspack 4/27/2005 3:28:46 PM 180736 C:\WINDOWS\02June05.scr
aspack 1/29/2004 3:28:58 PM 180736 C:\WINDOWS\02March04.scr
aspack 1/21/2005 1:27:42 PM 180736 C:\WINDOWS\02March05.scr
aspack 4/2/2004 11:13:20 AM 180736 C:\WINDOWS\02May04.scr
aspack 3/21/2005 1:56:26 PM 180736 C:\WINDOWS\02May05.scr
aspack 10/1/2003 2:20:06 PM 180736 C:\WINDOWS\02November03.scr
aspack 9/29/2004 12:16:34 PM 180736 C:\WINDOWS\02November04.scr
aspack 9/10/2003 6:37:10 PM 180736 C:\WINDOWS\02October03.exe.scr
aspack 8/10/2004 2:13:42 PM 180736 C:\WINDOWS\02October04.scr
aspack 7/26/2004 11:40:22 AM 180736 C:\WINDOWS\02September04.scr
aspack 3/8/2004 6:26:28 PM 180736 C:\WINDOWS\03April04.scr
aspack 3/1/2005 1:41:40 PM 180736 C:\WINDOWS\03April05.scr
aspack 6/22/2004 3:14:16 PM 180736 C:\WINDOWS\03August04.scr
aspack 6/22/2005 2:14:20 PM 180736 C:\WINDOWS\03August05.scr
aspack 11/2/2003 2:57:00 PM 180736 C:\WINDOWS\03December03.scr
aspack 10/12/2004 4:18:28 AM 180736 C:\WINDOWS\03December04.scr
aspack 10/7/2005 1:06:32 PM 187392 C:\WINDOWS\03December05.scr
aspack 6/26/2002 9:44:14 AM 180736 C:\WINDOWS\03February04.scr
aspack 1/6/2005 2:09:24 PM 180736 C:\WINDOWS\03February05.scr
aspack 12/2/2003 2:38:50 PM 180736 C:\WINDOWS\03January04.scr
aspack 11/19/2004 11:28:10 AM 180736 C:\WINDOWS\03January05.scr
aspack 6/10/2005 8:55:36 PM 180736 C:\WINDOWS\03July05.scr
aspack 4/29/2004 1:13:32 PM 180736 C:\WINDOWS\03June04.scr
aspack 5/2/2005 11:39:24 AM 180736 C:\WINDOWS\03June05.scr
aspack 1/29/2004 3:33:26 PM 180736 C:\WINDOWS\03March04.scr
aspack 1/21/2005 1:28:12 PM 180736 C:\WINDOWS\03March05.scr
aspack 4/2/2004 11:13:44 AM 180736 C:\WINDOWS\03May04.scr
aspack 3/21/2005 2:06:04 PM 180736 C:\WINDOWS\03May05.scr
aspack 10/1/2003 2:20:32 PM 180736 C:\WINDOWS\03November03.scr
aspack 9/29/2004 12:17:14 PM 180736 C:\WINDOWS\03November04.scr
aspack 9/10/2003 6:37:46 PM 180736 C:\WINDOWS\03October03.exe.scr
aspack 8/10/2004 2:14:14 PM 180736 C:\WINDOWS\03October04.scr
aspack 7/26/2004 11:40:54 AM 180736 C:\WINDOWS\03September04.scr
aspack 11/19/2005 10:32:04 AM 311824 C:\WINDOWS\eFaxView.exe

Checking %System% folder...
UPX! 12/20/2005 4:21:38 AM 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/29/2002 2:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 12/8/2005 4:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 12/8/2005 4:20:26 PM 2714976 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/29/2002 2:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/3/2006 11:22:32 AM S 2048 C:\WINDOWS\BOOTSTAT.DAT
11/30/2005 8:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 4:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/3/2006 11:22:24 AM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
1/3/2006 11:22:58 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
1/3/2006 11:22:34 AM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
1/3/2006 11:23:04 AM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
1/3/2006 11:22:42 AM H 1224704 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
1/2/2006 6:30:10 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
12/15/2005 10:49:58 PM S 1047 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/15/2005 10:49:58 PM S 1370 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/15/2005 10:49:58 PM S 126 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/15/2005 10:49:58 PM S 194 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/3/2006 11:19:50 AM H 6 C:\WINDOWS\Tasks\SA.DAT
12/27/2005 3:39:52 PM HS 37594 C:\WINDOWS\Temp\$_2341233.TMP

Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/19/2003 2:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 2:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 2:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 3/11/2003 1:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Apple Computer, Inc. 8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc. 7/27/2003 7:05:54 AM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 2:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Creative Technology Ltd. 2/18/2004 6:52:50 AM 176128 C:\WINDOWS\SYSTEM32\USBAudio.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2002 6:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 5:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
9/22/2004 3:44:42 PM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 6:00:00 AM HS 84 C:\Documents and Settings\Carrie Hafer\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
11/20/2005 12:58:30 PM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\carabradshaw004.bmp
12/26/2005 8:29:54 AM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\caroleejones008.bmp
11/17/2005 10:21:30 PM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\caroleejones018.bmp
12/13/2005 1:11:18 PM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\carolhalm002.bmp
9/3/2002 5:50:46 AM HS 62 C:\Documents and Settings\Carrie Hafer\Application Data\DESKTOP.INI
11/26/2005 3:23:20 PM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\kaelynnwinn007.bmp
11/21/2005 11:23:40 AM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\lauriefurnell010.bmp
12/3/2005 10:19:18 AM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\lauriefurnell012.bmp
11/16/2005 11:41:26 PM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\lauriefurnell022.bmp
11/16/2005 11:34:38 PM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\lorielakey002.bmp
11/21/2005 10:49:56 AM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\lorigardner003.bmp
12/22/2005 1:10:44 AM 2359350 C:\Documents and Settings\Carrie Hafer\Application Data\teresakogut001.bmp
12/28/2005 2:44:56 PM HS 54272 C:\Documents and Settings\Carrie Hafer\Application Data\Thumbs.db

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\deskMenu2
{D8A8853A-DB04-45D4-8732-A5CC49CE6107} = C:\WINDOWS\system32\deskMenu2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQMenu
{f802f260-519b-11d1-bb5d-0060974c6013} = C:\Program Files\ICQ\ICQShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQMenu
{f802f260-519b-11d1-bb5d-0060974c6013} = C:\Program Files\ICQ\ICQShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
Comcast Toolbar = C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Web assistant : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{855F3B16-6D32-4fe6-8A56-BBB695989046} = ICQ Toolbar : C:\Program Files\ICQToolbar\toolbaru.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} = Comcast Toolbar : C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}
ButtonText = ICQ Pro : C:\PROGRA~1\ICQ\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}
ButtonText = ComcastHSI : http://www.comcast.net/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8828075D-D097-4055-AA02-2DBFA9D85E8A}
ButtonText = Support : http://www.comcastsupport.com/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{97809617-3937-4F84-B335-9BB05EF1A8D4}
ButtonText = Help : http://online.comcast.net/help/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d81ca86b-ef63-42af-bee3-4502d9a03c2d}
ButtonText = MUSICMATCH MX Web Player :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Web assistant : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = :
{855F3B16-6D32-4FE6-8A56-BBB695989046} = ICQ Toolbar : C:\Program Files\ICQToolbar\toolbaru.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} = Comcast Toolbar : C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe
item Acrobat Assistant
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~2.0\Distillr\AcroTray.exe
item Acrobat Assistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~3.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~3.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpohmr08.exe
item hp psc 1000 series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
command "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\avast!
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ashDisp
hkey HKLM
command C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ashDisp
hkey HKLM
command C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDElbyCDFL
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ElbyCheck
hkey HKLM
command "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ElbyCheck
hkey HKLM
command "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ctfmon
hkey HKCU
command C:\WINDOWS\system32\ctfmon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTSysVol
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTSysVol
hkey HKLM
command C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTSysVol
hkey HKLM
command C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dla
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tfswctrl
hkey HKLM
command C:\WINDOWS\system32\dla\tfswctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDLauncher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvCpl
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\P17Helper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Rundll32 P17
hkey HKLM
command Rundll32 P17.dll,P17Helper
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Rundll32 P17
hkey HKLM
command Rundll32 P17.dll,P17Helper
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCMService
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCMService
hkey HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCMService
hkey HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ReminderApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ReminderApp
hkey HKLM
command C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ReminderApp
hkey HKLM
command C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\THGuard
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item THGuard
hkey HKLM
command "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item THGuard
hkey HKLM
command "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdateManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sgtray
hkey HKLM
command "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdReg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\URLLSTCK.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UrlLstCk
hkey HKLM
command C:\Program Files\Norton Internet Security\UrlLstCk.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UrlLstCk
hkey HKLM
command C:\Program Files\Norton Internet Security\UrlLstCk.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gnotify
hkey HKLM
command C:\Program Files\Google\Gmail Notifier\gnotify.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gnotify
hkey HKLM
command C:\Program Files\Google\Gmail Notifier\gnotify.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/3/2006 11:39:24 AM
  • 0

#24
Metallica
Posted 03 January 2006 - 02:14 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Don't worry about these:

http://www.liutiliti...ibrary/crypt32/

http://www.liutiliti...brary/cryptnet/

I'm glad to see msctl32.dll is gone indeed. Hurray for MSAS. :tazz:

One more thing I'd like to see, just so I can figure out why HijackThis didn't show it to us.
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • msctl32
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#25
CarrieDH
Posted 03 January 2006 - 02:20 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Search completed, no instances found?

Carrie
  • 0

Advertisements

#26
Metallica
Posted 04 January 2006 - 12:33 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
That means it is gone completely. :tazz:

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#27
CarrieDH
Posted 04 January 2006 - 12:52 PM

CarrieDH

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I looked at your site, and I have a question. I picked this up simply by browsing to a page that came up when I searched on the internet (didn't download anything, click on anything, nothing) and I had a firewall, an antivirus program, and anti-spyware installed. How can I set my browser (or do I do something else?) to prevent this from happening to me accidentally again? Thank you for all your help!

Carrie
  • 0

#28
Metallica
Posted 04 January 2006 - 01:07 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
That depends on the way it was installed.

Recently a few new exploits have been found. These will be patched soon by MicroSoft, so it won't happen again (in the same way).

Although you can find ways to secure IE on my site, me and many of my other helpers on the forums use different browsers for "the dangerzone"
FireFox is very popular: http://www.mozilla.com/firefox/
and I prefer Opera: http://www.opera.com/

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP