Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

axxt32.dll?

Started by Chromo , Jan 16 2006 12:06 AM

Please log in to reply

#16
Chromo

Posted 22 January 2006 - 03:41 PM

Member

Topic Starter
Member
20 posts

i tried lookin for the 2 files, but i couldnt find them. my folder options are set to show hidden files too.

#17
Wizard

Posted 23 January 2006 - 08:33 AM

Retired Staff

Retired Staff
5,661 posts

Run theSubmit Files Packer program again

Highlight the entries listed below in bold and right-click,then select Copy.

C:\WINDOWS\System32\axxt32.sys
C:\WINDOWS\System32\axxt64.sys

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example Monster.cab).

Then go to:
http://www.atribune....mit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

#18
Chromo

Posted 23 January 2006 - 05:53 PM

Member

Topic Starter
Member
20 posts

all right, the file has been sent.

#19
Wizard

Posted 23 January 2006 - 06:12 PM

Retired Staff

Retired Staff
5,661 posts

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:

At this point please type the following: axxt
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.

#20
Chromo

Posted 23 January 2006 - 07:05 PM

Member

Topic Starter
Member
20 posts

HAXFIX logfile
--------------
by Marckie

haxdoor key: axxt

searching for services....
services found

deleting services.....
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS

rebooting the computer.....

haxdoor notify subkey: axxt

searching for services....
services not found

checking if files are found.....
axxt32.dll exist
klogini.dll exist
p3.ini exist
axxt32.sys not found
axxt64.sys not found
klgcptini.dat not found
qz.dll not found
qz.sys not found
stt82.ini not found
qy.sys not found
ps.a3d not found

deleting files.....

checking if files are deleted.....
axxt32.dll not found
axxt32.sys not found
axxt64.sys not found
klgcptini.dat not found
qz.dll not found
qz.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
qy.sys not found
ps.a3d not found

Finished

Logfile of HijackThis v1.99.1
Scan saved at 5:05:07 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137266969765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137444175281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#21
Wizard

Posted 24 January 2006 - 03:45 AM

Retired Staff

Retired Staff
5,661 posts

If you will generate another HijackThis Startup log and post those results in one reply.

Go into Safe Mode and Scan with WinPFind once more.

Restart Normal and have the PC scanned here
http://www.bitdefend...can/licence.php

In a seperate reply,post the WinPFind results along with any results from the Bit Defender Scan.

#22
Chromo

Posted 24 January 2006 - 08:44 AM

Member

Topic Starter
Member
20 posts

StartupList report, 1/24/2006, 6:43:55 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
hpsysdrv = c:\windows\system\hpsysdrv.exe
HostManager = C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
Error Nuker = C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AlcxMonitor = ALCXMNTR.EXE
IgfxTray = C:\WINDOWS\system32\igfxtray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NVIEW = rundll32.exe nview.dll,nViewLoadHook
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 = "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Screamer Radio sleeptimer.job
Screamer Radio.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[FXPluginCtl Object]
InProcServer32 = C:\WINDOWS\System32\FXPlugin.dll
CODEBASE = http://www.powerflas...in/powerres.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1137266969765

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.micros...b?1137444175281

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Update interface wA6: \??\C:\WINDOWS\System32\avAw6.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Belkin 802.11 Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTSvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox3: System32\DRIVERS\ctpdusb.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr Helper Driver: \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PfModNT: \??\C:\WINDOWS\System32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E7A3D552-D1EE-4DFD-8C00-152351E065BE} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,123 bytes
Report generated in 0.140 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#23
Wizard

Posted 24 January 2006 - 06:13 PM

Retired Staff

Retired Staff
5,661 posts

Go to Add\Remove Programs and Remove Error Nuker if found.

Locate and Delete--> C:\Program Files\Error Nuker<-- Folder

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Post back with the Bit Defender and WinPFind Results in the next reply.

#24
Chromo

Posted 26 January 2006 - 12:07 AM

Member

Topic Starter
Member
20 posts

the bit defender scan

Statistics

Time

03:03:24

Files

737623

Folders

12814

Boot Sectors

3

Archives

20725

Packed Files

46122

Results

Identified Viruses

15

Infected Files

19

Suspect Files

9

Warnings

0

Disinfected

0

Deleted Files

28

Engines Info

Virus Definitions

253795

Engine build

AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins

13

Archive plugins

39

Unpack plugins

4

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip

Infected with: Trojan.Downloader.Java.Openstream.W

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip

Disinfection failed

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip

Deleted

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘Ì/Xbox/xbox_emulator.0.34.exe

Infected with: Trojan.XEmu.A

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘Ì/Xbox/xbox_emulator.0.34.exe

Disinfection failed

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘Ì/Xbox/xbox_emulator.0.34.exe

Deleted

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)

Updated

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip

Update failed

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘Ì/Xbox/xbox_emulator.0.34.exe

Infected with: Trojan.XEmu.A

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘Ì/Xbox/xbox_emulator.0.34.exe

Disinfection failed

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘Ì/Xbox/xbox_emulator.0.34.exe

Deleted

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip

Updated

C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe

Suspected of: BehavesLike:Trojan.WinlogonHook

C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe

Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt

Suspected of: BehavesLike:Trojan.StartPage

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt

Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt

Infected with: Trojan.Downloader.Haxdor.A

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt

Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt

Infected with: Trojan.Qhost.EL

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt

Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt

Infected with: Dropped:Trojan.SpamTool.E

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt

Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt

Suspected of: Trojan.SpySheriff.E

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt

Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm

Infected with: Trojan.SpySheriff.C

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm

Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm

Deleted

C:\hp\region\EN_US-ie.reg

Infected with: Trojan.Winreg.Startpage.W

C:\hp\region\EN_US-ie.reg

Disinfection failed

C:\hp\region\EN_US-ie.reg

Deleted

C:\Program Files\Common Files\win61.exe

Infected with: Dropped:Trojan.Clicker.Vb.GS

C:\Program Files\Common Files\win61.exe

Disinfection failed

C:\Program Files\Common Files\win61.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002838.exe

Infected with: Trojan.Dialer.AY2

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002838.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe

Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe

Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg

Infected with: Trojan.Winreg.Startpage.W

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe

Infected with: Dropped:Trojan.Clicker.Vb.GS

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe

Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll

Infected with: Trojan.Downloader.Small.GP

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe

Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002

Infected with: Trojan.Downloader.Istbar.NN

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)

Update failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe

Infected with: Trojan.Valuead.A

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe

Infected with: Trojan.Downloader.Agent.OM

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001

Suspected of: BehavesLike:Trojan.Downloader

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001

Deleted

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)

Update failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe

Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe

Disinfection failed

C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe

Deleted

C:\WINDOWS\system32\msctl32.dll

Infected with: Trojan.SpamTool.E

C:\WINDOWS\system32\msctl32.dll

Disinfection failed

C:\WINDOWS\system32\msctl32.dll

Deleted

C:\WINDOWS\system32\CURITY~1\mmc.exe

Infected with: Trojan.Purityad.CQ

C:\WINDOWS\system32\CURITY~1\mmc.exe

Disinfection failed

C:\WINDOWS\system32\CURITY~1\mmc.exe

Deleted

C:\WINDOWS\tool1.exe

Infected with: Dropped:Trojan.SpamTool.E

C:\WINDOWS\tool1.exe

Disinfection failed

C:\WINDOWS\tool1.exe

Deleted

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/22/2004 4:04:56 PM 69120 C:\WINDOWS\daemon.dll
UPX! 12/26/2004 3:42:36 PM 24197 C:\WINDOWS\setfgi.dll
UPX! 12/17/2004 7:04:02 PM 24197 C:\WINDOWS\ssysprs.dll

Checking %System% folder...
SAHAgent 10/22/2005 9:06:58 AM 32 C:\WINDOWS\SYSTEM32\28ic7gv3.ini
SAHAgent 10/22/2005 9:06:58 AM 32 C:\WINDOWS\SYSTEM32\abasa5jrp.ini
aspack 3/18/2005 4:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/29/2002 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 12/7/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 12/7/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/20/2004 3:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 1/29/2003 1:10:06 AM 7168 C:\WINDOWS\SYSTEM32\ogg.dll
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/29/2003 1:10:06 AM 46592 C:\WINDOWS\SYSTEM32\vorbis.dll
winsync 8/29/2002 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/25/2006 6:11:08 PM S 2048 C:\WINDOWS\bootstat.dat
1/23/2006 10:38:02 PM H 54156 C:\WINDOWS\QTFont.qfn
1/16/2006 1:01:00 PM H 25200 C:\WINDOWS\Help\mplayer2.GID
1/16/2006 12:15:46 PM H 0 C:\WINDOWS\inf\oem27.inf
12/31/2005 9:14:52 PM H 0 C:\WINDOWS\inf\oem40.inf
1/16/2006 8:17:00 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_12.cab
11/30/2005 8:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 4:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/25/2006 6:10:58 PM H 8192 C:\WINDOWS\system32\config\default.LOG
1/25/2006 6:11:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/25/2006 6:11:08 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/25/2006 6:11:24 PM H 65536 C:\WINDOWS\system32\config\software.LOG
1/25/2006 6:11:14 PM H 995328 C:\WINDOWS\system32\config\system.LOG
1/16/2006 1:37:38 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
1/19/2006 7:00:48 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
1/19/2006 7:00:48 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/16/2006 3:01:58 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/19/2006 7:00:48 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
1/19/2006 7:00:48 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/16/2006 3:01:58 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
12/31/2005 6:33:46 PM RHS 4256 C:\WINDOWS\system32\drivers\HP_DF216A-ABA S4300NX NA210_YW_Pres_QMXK320_E33NAheRED4 _4_I P4SD-LA _SASUSTeK Computer INC._VRev 1.xx_B3.06_T030508_WXH1_L409_M504_J120_7Intel_8Pentium 4_92.4_1104C8023_N10EC8139_P_Z11C1044E_K_A808624D5_U808624D2_G80862572.MRK
12/31/2005 9:08:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\6cb53062-9bbb-4b16-9fbf-e0e483c2b59a
12/31/2005 9:08:08 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\014a6e47-9d20-4981-a436-7237dbb5a307
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0d6c9397-ca47-4ad4-a0ce-b967c2bf5ddd
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\36b0b96f-7542-48b1-9fe6-96fcf5b45637
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4694f395-49c1-4004-95b8-af71ae978473
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4954a6f4-9fb4-4224-a93b-5f88679a3bf6
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\73e42a94-41ab-4541-a377-03313a0225be
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7c4da840-f2b1-4e94-9b4a-af56ef53bc40
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd8c80e2-2d09-4907-be61-8dabd81203e0
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c21df015-7f20-40c8-bfa0-753016175c03
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\cc8b3ad8-85c3-451e-a555-e6127dad815c
12/31/2005 6:09:02 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/25/2006 6:10:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT
12/31/2005 6:25:24 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0J7SYKRI\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6DQDGVSJ\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GK7RU2CK\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XGTT0CCZ\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
11/11/1999 8:11:00 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/24/2005 7:30:52 PM 14336 C:\WINDOWS\SYSTEM32\infocardcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Realtek Semiconductor Corp. 2/17/2004 5:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL
Intel Corporation 3/11/2003 4:18:48 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\ALSNDMGR.CPL
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\ALSNDMGR.CPL
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/10/2003 1:49:46 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/9/2003 6:41:42 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/23/2005 12:42:16 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
4/10/2003 1:49:46 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/9/2003 6:41:42 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
12/6/2005 9:32:04 PM 80 C:\Documents and Settings\Owner\Application Data\diggtray.data

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 C:\WINDOWS\system32\ps2.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
hpsysdrv c:\windows\system\hpsysdrv.exe
HostManager C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AlcxMonitor ALCXMNTR.EXE
IgfxTray C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NVIEW rundll32.exe nview.dll,nViewLoadHook
Yahoo! Pager C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/25/2006 6:22:27 PM

#25
Wizard

Posted 26 January 2006 - 04:23 AM

Retired Staff

Retired Staff
5,661 posts

Go back to Safe Mode and Open Pocket Killbox.

Copy&Paste each entry below,one at a time,into Killbox

C:\WINDOWS\setfgi.dll

C:\WINDOWS\ssysprs.dll

C:\WINDOWS\system32\msctl32.dll

C:\WINDOWS\tool1.exe

C:\WINDOWS\SYSTEM32\28ic7gv3.ini

C:\WINDOWS\SYSTEM32\abasa5jrp.ini

C:\WINDOWS\system32\CURITY~1\mmc.exe

C:\Program Files\Common Files\win61.exe

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt

C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip

As you paste each entry in,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete

Confirm that every entry was either deleted or did not exist.

Restart Normal and Download The Hoster from here:
http://www.funkytoad...load/hoster.zip

Right Click the Zip Folder and Select "Extract All"

Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled

Click "Back up Host files"

Press "Restore Original Hosts" and press "OK"

Exit the Program.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#26
Chromo

Posted 27 January 2006 - 07:03 PM

Member

Topic Starter
Member
20 posts

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 27, 2006 17:01:45
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/01/2006
Kaspersky Anti-Virus database records: 162858
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 205067
Number of viruses found: 13
Number of infected objects: 46
Number of suspicious objects: 1
Duration of the scan process: 11337 sec

Infected Object Name - Virus Name
C:\!KillBox\setfgi.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\ssysprs.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe Infected: Trojan.Win32.VB.aft
C:\Program Files\apsi\rawh\!update-2724.0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\Program Files\Microsoft AntiSpyware\Quarantine\C354EA9E-C068-456E-891D-E0D327\9771525F-80B5-44B0-BC24-B1E4FA Infected: Trojan-Downloader.Win32.PurityScan.at
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026280.dll Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026282.exe Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026305.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026306.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009315.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009316.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009317.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009318.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009319.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009320.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009321.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009322.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009323.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009324.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009325.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009326.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009327.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009328.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009329.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009330.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009331.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009332.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009333.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009334.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009335.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\!update-2724[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\!update-2324[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\!update-2604[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.at
C:\WINDOWS\system32\dedi.dll Infected: Trojan.Win32.StartPage.vr
C:\WINDOWS\system32\drivers\i386p.sys Infected: SpamTool.Win32.Mailbot.w
C:\WINDOWS\system32\drivers\swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\WINDOWS\system32\GS2.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS2.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS2.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\mchschap.exe Infected: Trojan.Win32.Crypt.t

Scan process completed.

#27
Wizard

Posted 28 January 2006 - 09:55 AM

Retired Staff

Retired Staff
5,661 posts

If you will,go to this Upload Site

Upload these files

C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe
C:\WINDOWS\system32\drivers\swmrdpdr.sys

Go into Safe Mode and Be sure Windows is Showing Hidden Files.
http://www.bleepingc...al62.html#winxp

Open Pocket Killbox-> Copy&Paste each entry below,one at a time,into Killbox.

C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe
C:\WINDOWS\system32\dedi.dll
C:\WINDOWS\system32\GS2.exe
C:\WINDOWS\system32\mchschap.exe
C:\WINDOWS\system32\drivers\i386p.sys
C:\WINDOWS\system32\drivers\swmrdpdr.sys
C:\Program Files\apsi
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK

As you paste each entry in,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Temp

C:\Windows\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\<Your Profile>\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)

Restart Normal and Scan once more with Kaspersky Online Scanner.

Post those resutls in the next reply.

Edited by Cretemonster, 28 January 2006 - 09:56 AM.

#28
Chromo

Posted 29 January 2006 - 11:09 PM

Member

Topic Starter
Member
20 posts

i just sent the files, i deleted all the files except for hsperfdata_Owner, it said it was in use but im not sure whats using it.

#29
Chromo

Posted 30 January 2006 - 08:45 AM

Member

Topic Starter
Member
20 posts

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 30, 2006 06:43:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/01/2006
Kaspersky Anti-Virus database records: 173848
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 195988
Number of viruses found: 25
Number of infected objects: 77
Number of suspicious objects: 3
Duration of the scan process: 10732 sec

Infected Object Name - Virus Name
C:\!KillBox\apsi\rawh\!update-2724.0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\!KillBox\dedi.dll Infected: Trojan.Win32.StartPage.vr
C:\!KillBox\GS2.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\GS2.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\GS2.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\i386p.sys Infected: SpamTool.Win32.Mailbot.w
C:\!KillBox\LKHHAT9O\!update-2724[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\!KillBox\mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\!KillBox\mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\!KillBox\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\!KillBox\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\!KillBox\Nat2.exe Infected: Trojan.Win32.VB.aft
C:\!KillBox\setfgi.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\ssysprs.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\!KillBox\W0A3Q2ZK\!update-2324[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\!KillBox\W0A3Q2ZK\!update-2604[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.at
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/WINDOWS/system32/drivers/swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\Documents and Settings\Owner\Desktop\chromo.cab Infected: Rootkit.Win32.Agent.ao
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers\spyblocs_serial.exe/data0003 Infected: not-a-virus:AdWare.Win32.Locator.e
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers\spyblocs_serial.exe Infected: not-a-virus:AdWare.Win32.Locator.e
C:\Program Files\Microsoft AntiSpyware\Quarantine\C354EA9E-C068-456E-891D-E0D327\9771525F-80B5-44B0-BC24-B1E4FA Infected: Trojan-Downloader.Win32.PurityScan.at
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002829.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026280.dll Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026281.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dl
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026282.exe Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026305.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026306.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026558.dll Infected: Trojan.Win32.StartPage.vr
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026560.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026561.sys Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026562.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009314.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009314.exe Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009315.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009316.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009317.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009318.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009319.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009320.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009321.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009322.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009323.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009324.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009325.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009326.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009327.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009328.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009329.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009330.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009331.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009332.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009333.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009334.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009335.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009339.exe Infected: not-a-virus:AdWare.Win32.ShopNav.l
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe/data0002 Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\WINDOWS\package8032_SIAC.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\WINDOWS\package8032_SIAC.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\WINDOWS\package8032_SIAC.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\system32\dnscore.dll Infected: not-a-virus:AdWare.Win32.MediaBack.a
C:\WINDOWS\system32\WіnSxS\winlogon.exe Infected: not-a-virus:AdWare.Win32.PurityScan.bv

Scan process completed.

#30
Wizard

Posted 04 February 2006 - 07:32 AM

Retired Staff

Retired Staff
5,661 posts

My apologies,I got called out of town on emergency buisness.

Go back to Safe Mode,Run each entry below through Killbox

C:\WINDOWS\package8032_SIAC.exe

C:\WINDOWS\system32\dnscore.dll

C:\WINDOWS\system32\WіnSxS\winlogon.exe

C:\Documents and Settings\Owner\Desktop\chromo.cab

C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers

As you paste each in,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete

While in Safe Mode,be sure Windows is Showing Hidden Files and Folders
http://www.bleepingc...al62.html#winxp

Navigate to this folder-> C:\WINDOWS\system32\WіnSxS

Make me a list of everything you see inside that folder,please.

Restart Normal and post the list from that folder.