axxt32.dll?
Started by
Chromo
, Jan 16 2006 12:06 AM
#16
Posted 22 January 2006 - 03:41 PM
#17
Posted 23 January 2006 - 08:33 AM
Run theSubmit Files Packer program again
Highlight the entries listed below in bold and right-click,then select Copy.
C:\WINDOWS\System32\axxt32.sys
C:\WINDOWS\System32\axxt64.sys
Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.
Then press the Continue button.
I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.
Rename this file to yourmembername.cab (for example Monster.cab).
Then go to:
http://www.atribune....mit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.
Highlight the entries listed below in bold and right-click,then select Copy.
C:\WINDOWS\System32\axxt32.sys
C:\WINDOWS\System32\axxt64.sys
Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.
Then press the Continue button.
I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.
Rename this file to yourmembername.cab (for example Monster.cab).
Then go to:
http://www.atribune....mit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.
#18
Posted 23 January 2006 - 05:53 PM
all right, the file has been sent.
#19
Posted 23 January 2006 - 06:12 PM
Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:
At this point please type the following: axxt
Press Enter to continue with the fix.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:
Insert the haxdoor notify subkey without the numbers,
and then press enter:
At this point please type the following: axxt
Press Enter to continue with the fix.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.
#20
Posted 23 January 2006 - 07:05 PM
HAXFIX logfile
--------------
by Marckie
haxdoor key: axxt
searching for services....
services found
deleting services.....
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS
rebooting the computer.....
haxdoor notify subkey: axxt
searching for services....
services not found
checking if files are found.....
axxt32.dll exist
klogini.dll exist
p3.ini exist
axxt32.sys not found
axxt64.sys not found
klgcptini.dat not found
qz.dll not found
qz.sys not found
stt82.ini not found
qy.sys not found
ps.a3d not found
deleting files.....
checking if files are deleted.....
axxt32.dll not found
axxt32.sys not found
axxt64.sys not found
klgcptini.dat not found
qz.dll not found
qz.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
qy.sys not found
ps.a3d not found
Finished
Logfile of HijackThis v1.99.1
Scan saved at 5:05:07 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137266969765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137444175281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--------------
by Marckie
haxdoor key: axxt
searching for services....
services found
deleting services.....
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS
[SWSC] StopService FAIL
[SWSC] DeleteService SUCCESS
rebooting the computer.....
haxdoor notify subkey: axxt
searching for services....
services not found
checking if files are found.....
axxt32.dll exist
klogini.dll exist
p3.ini exist
axxt32.sys not found
axxt64.sys not found
klgcptini.dat not found
qz.dll not found
qz.sys not found
stt82.ini not found
qy.sys not found
ps.a3d not found
deleting files.....
checking if files are deleted.....
axxt32.dll not found
axxt32.sys not found
axxt64.sys not found
klgcptini.dat not found
qz.dll not found
qz.sys not found
stt82.ini not found
klogini.dll not found
p3.ini not found
qy.sys not found
ps.a3d not found
Finished
Logfile of HijackThis v1.99.1
Scan saved at 5:05:07 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137266969765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137444175281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
#21
Posted 24 January 2006 - 03:45 AM
If you will generate another HijackThis Startup log and post those results in one reply.
Go into Safe Mode and Scan with WinPFind once more.
Restart Normal and have the PC scanned here
http://www.bitdefend...can/licence.php
In a seperate reply,post the WinPFind results along with any results from the Bit Defender Scan.
Go into Safe Mode and Scan with WinPFind once more.
Restart Normal and have the PC scanned here
http://www.bitdefend...can/licence.php
In a seperate reply,post the WinPFind results along with any results from the Bit Defender Scan.
#22
Posted 24 January 2006 - 08:44 AM
StartupList report, 1/24/2006, 6:43:55 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
hpsysdrv = c:\windows\system\hpsysdrv.exe
HostManager = C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
Error Nuker = C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AlcxMonitor = ALCXMNTR.EXE
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NVIEW = rundll32.exe nview.dll,nViewLoadHook
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 = "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Screamer Radio sleeptimer.job
Screamer Radio.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[FXPluginCtl Object]
InProcServer32 = C:\WINDOWS\System32\FXPlugin.dll
CODEBASE = http://www.powerflas...in/powerres.cab
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1137266969765
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.micros...b?1137444175281
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Update interface wA6: \??\C:\WINDOWS\System32\avAw6.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Belkin 802.11 Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTSvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox3: System32\DRIVERS\ctpdusb.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr Helper Driver: \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PfModNT: \??\C:\WINDOWS\System32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E7A3D552-D1EE-4DFD-8C00-152351E065BE} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 34,123 bytes
Report generated in 0.140 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
hpsysdrv = c:\windows\system\hpsysdrv.exe
HostManager = C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
Error Nuker = C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AlcxMonitor = ALCXMNTR.EXE
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NVIEW = rundll32.exe nview.dll,nViewLoadHook
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 = "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Screamer Radio sleeptimer.job
Screamer Radio.job
Symantec NetDetect.job
--------------------------------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[FXPluginCtl Object]
InProcServer32 = C:\WINDOWS\System32\FXPlugin.dll
CODEBASE = http://www.powerflas...in/powerres.cab
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1137266969765
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.micros...b?1137444175281
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab
[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Update interface wA6: \??\C:\WINDOWS\System32\avAw6.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Belkin 802.11 Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTSvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Jukebox3: System32\DRIVERS\ctpdusb.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr Helper Driver: \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
PfModNT: \??\C:\WINDOWS\System32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E7A3D552-D1EE-4DFD-8C00-152351E065BE} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel® Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel® Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 34,123 bytes
Report generated in 0.140 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
#23
Posted 24 January 2006 - 06:13 PM
Go to Add\Remove Programs and Remove Error Nuker if found.
Locate and Delete--> C:\Program Files\Error Nuker<-- Folder
Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Post back with the Bit Defender and WinPFind Results in the next reply.
Locate and Delete--> C:\Program Files\Error Nuker<-- Folder
Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflas...in/powerres.cab
Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Post back with the Bit Defender and WinPFind Results in the next reply.
#24
Posted 26 January 2006 - 12:07 AM
the bit defender scan
Statistics
Time
03:03:24
Files
737623
Folders
12814
Boot Sectors
3
Archives
20725
Packed Files
46122
Results
Identified Viruses
15
Infected Files
19
Suspect Files
9
Warnings
0
Disinfected
0
Deleted Files
28
Engines Info
Virus Definitions
253795
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
Infected with: Trojan.Downloader.Java.Openstream.W
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
Disinfection failed
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
Deleted
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Infected with: Trojan.XEmu.A
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Disinfection failed
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Deleted
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)
Updated
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip
Update failed
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Infected with: Trojan.XEmu.A
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Disinfection failed
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Deleted
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip
Updated
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
Suspected of: BehavesLike:Trojan.WinlogonHook
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
Suspected of: BehavesLike:Trojan.StartPage
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
Infected with: Trojan.Downloader.Haxdor.A
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
Infected with: Trojan.Qhost.EL
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
Infected with: Dropped:Trojan.SpamTool.E
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
Suspected of: Trojan.SpySheriff.E
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
Infected with: Trojan.SpySheriff.C
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
Deleted
C:\hp\region\EN_US-ie.reg
Infected with: Trojan.Winreg.Startpage.W
C:\hp\region\EN_US-ie.reg
Disinfection failed
C:\hp\region\EN_US-ie.reg
Deleted
C:\Program Files\Common Files\win61.exe
Infected with: Dropped:Trojan.Clicker.Vb.GS
C:\Program Files\Common Files\win61.exe
Disinfection failed
C:\Program Files\Common Files\win61.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002838.exe
Infected with: Trojan.Dialer.AY2
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002838.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg
Infected with: Trojan.Winreg.Startpage.W
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe
Infected with: Dropped:Trojan.Clicker.Vb.GS
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll
Infected with: Trojan.Downloader.Small.GP
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Istbar.NN
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe
Infected with: Trojan.Valuead.A
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe
Infected with: Trojan.Downloader.Agent.OM
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001
Suspected of: BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe
Deleted
C:\WINDOWS\system32\msctl32.dll
Infected with: Trojan.SpamTool.E
C:\WINDOWS\system32\msctl32.dll
Disinfection failed
C:\WINDOWS\system32\msctl32.dll
Deleted
C:\WINDOWS\system32\CURITY~1\mmc.exe
Infected with: Trojan.Purityad.CQ
C:\WINDOWS\system32\CURITY~1\mmc.exe
Disinfection failed
C:\WINDOWS\system32\CURITY~1\mmc.exe
Deleted
C:\WINDOWS\tool1.exe
Infected with: Dropped:Trojan.SpamTool.E
C:\WINDOWS\tool1.exe
Disinfection failed
C:\WINDOWS\tool1.exe
Deleted
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
UPX! 8/22/2004 4:04:56 PM 69120 C:\WINDOWS\daemon.dll
UPX! 12/26/2004 3:42:36 PM 24197 C:\WINDOWS\setfgi.dll
UPX! 12/17/2004 7:04:02 PM 24197 C:\WINDOWS\ssysprs.dll
Checking %System% folder...
SAHAgent 10/22/2005 9:06:58 AM 32 C:\WINDOWS\SYSTEM32\28ic7gv3.ini
SAHAgent 10/22/2005 9:06:58 AM 32 C:\WINDOWS\SYSTEM32\abasa5jrp.ini
aspack 3/18/2005 4:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/29/2002 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 12/7/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 12/7/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/20/2004 3:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 1/29/2003 1:10:06 AM 7168 C:\WINDOWS\SYSTEM32\ogg.dll
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/29/2003 1:10:06 AM 46592 C:\WINDOWS\SYSTEM32\vorbis.dll
winsync 8/29/2002 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
UPX! 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/25/2006 6:11:08 PM S 2048 C:\WINDOWS\bootstat.dat
1/23/2006 10:38:02 PM H 54156 C:\WINDOWS\QTFont.qfn
1/16/2006 1:01:00 PM H 25200 C:\WINDOWS\Help\mplayer2.GID
1/16/2006 12:15:46 PM H 0 C:\WINDOWS\inf\oem27.inf
12/31/2005 9:14:52 PM H 0 C:\WINDOWS\inf\oem40.inf
1/16/2006 8:17:00 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_12.cab
11/30/2005 8:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 4:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/25/2006 6:10:58 PM H 8192 C:\WINDOWS\system32\config\default.LOG
1/25/2006 6:11:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/25/2006 6:11:08 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/25/2006 6:11:24 PM H 65536 C:\WINDOWS\system32\config\software.LOG
1/25/2006 6:11:14 PM H 995328 C:\WINDOWS\system32\config\system.LOG
1/16/2006 1:37:38 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
1/19/2006 7:00:48 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
1/19/2006 7:00:48 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/16/2006 3:01:58 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/19/2006 7:00:48 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
1/19/2006 7:00:48 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/16/2006 3:01:58 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
12/31/2005 6:33:46 PM RHS 4256 C:\WINDOWS\system32\drivers\HP_DF216A-ABA S4300NX NA210_YW_Pres_QMXK320_E33NAheRED4 _4_I P4SD-LA _SASUSTeK Computer INC._VRev 1.xx_B3.06_T030508_WXH1_L409_M504_J120_7Intel_8Pentium 4_92.4_1104C8023_N10EC8139_P_Z11C1044E_K_A808624D5_U808624D2_G80862572.MRK
12/31/2005 9:08:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\6cb53062-9bbb-4b16-9fbf-e0e483c2b59a
12/31/2005 9:08:08 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\014a6e47-9d20-4981-a436-7237dbb5a307
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0d6c9397-ca47-4ad4-a0ce-b967c2bf5ddd
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\36b0b96f-7542-48b1-9fe6-96fcf5b45637
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4694f395-49c1-4004-95b8-af71ae978473
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4954a6f4-9fb4-4224-a93b-5f88679a3bf6
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\73e42a94-41ab-4541-a377-03313a0225be
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7c4da840-f2b1-4e94-9b4a-af56ef53bc40
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd8c80e2-2d09-4907-be61-8dabd81203e0
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c21df015-7f20-40c8-bfa0-753016175c03
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\cc8b3ad8-85c3-451e-a555-e6127dad815c
12/31/2005 6:09:02 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/25/2006 6:10:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT
12/31/2005 6:25:24 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0J7SYKRI\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6DQDGVSJ\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GK7RU2CK\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XGTT0CCZ\desktop.ini
Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
11/11/1999 8:11:00 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/24/2005 7:30:52 PM 14336 C:\WINDOWS\SYSTEM32\infocardcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Realtek Semiconductor Corp. 2/17/2004 5:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL
Intel Corporation 3/11/2003 4:18:48 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\ALSNDMGR.CPL
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\ALSNDMGR.CPL
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\ALSNDMGR.CPL
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
4/10/2003 1:49:46 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/9/2003 6:41:42 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/23/2005 12:42:16 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
4/10/2003 1:49:46 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
4/9/2003 6:41:42 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
12/6/2005 9:32:04 PM 80 C:\Documents and Settings\Owner\Application Data\diggtray.data
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 C:\WINDOWS\system32\ps2.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
hpsysdrv c:\windows\system\hpsysdrv.exe
HostManager C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AlcxMonitor ALCXMNTR.EXE
IgfxTray C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NVIEW rundll32.exe nview.dll,nViewLoadHook
Yahoo! Pager C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/25/2006 6:22:27 PM
Statistics
Time
03:03:24
Files
737623
Folders
12814
Boot Sectors
3
Archives
20725
Packed Files
46122
Results
Identified Viruses
15
Infected Files
19
Suspect Files
9
Warnings
0
Disinfected
0
Deleted Files
28
Engines Info
Virus Definitions
253795
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
Infected with: Trojan.Downloader.Java.Openstream.W
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
Disinfection failed
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
Deleted
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Infected with: Trojan.XEmu.A
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Disinfection failed
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Deleted
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>(ZIP Sfx g)
Updated
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip
Update failed
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Infected with: Trojan.XEmu.A
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Disinfection failed
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip=>ƒGƒ~ƒ…ƒŒ[ƒ^[–{‘̀/Xbox/xbox_emulator.0.34.exe
Deleted
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip
Updated
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
Suspected of: BehavesLike:Trojan.WinlogonHook
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
Suspected of: BehavesLike:Trojan.StartPage
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
Infected with: Trojan.Downloader.Haxdor.A
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
Infected with: Trojan.Qhost.EL
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
Infected with: Dropped:Trojan.SpamTool.E
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
Suspected of: Trojan.SpySheriff.E
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
Deleted
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
Infected with: Trojan.SpySheriff.C
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
Disinfection failed
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
Deleted
C:\hp\region\EN_US-ie.reg
Infected with: Trojan.Winreg.Startpage.W
C:\hp\region\EN_US-ie.reg
Disinfection failed
C:\hp\region\EN_US-ie.reg
Deleted
C:\Program Files\Common Files\win61.exe
Infected with: Dropped:Trojan.Clicker.Vb.GS
C:\Program Files\Common Files\win61.exe
Disinfection failed
C:\Program Files\Common Files\win61.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002838.exe
Infected with: Trojan.Dialer.AY2
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002838.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002998.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP11\A0003059.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg
Infected with: Trojan.Winreg.Startpage.W
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026278.reg
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe
Infected with: Dropped:Trojan.Clicker.Vb.GS
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026279.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003715.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll
Infected with: Trojan.Downloader.Small.GP
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP22\A0003726.dll
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP72\A0005779.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Istbar.NN
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)=>zlib_nsis0002
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe
Infected with: Trojan.Valuead.A
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009305.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe
Infected with: Trojan.Downloader.Agent.OM
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009337.exe
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001
Suspected of: BehavesLike:Trojan.Downloader
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)=>zlib_nsis0001
Deleted
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe
Suspected of: Dropped:Generic.Malware.SYdld.8106CB7F
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe
Disinfection failed
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP9\A0002734.exe
Deleted
C:\WINDOWS\system32\msctl32.dll
Infected with: Trojan.SpamTool.E
C:\WINDOWS\system32\msctl32.dll
Disinfection failed
C:\WINDOWS\system32\msctl32.dll
Deleted
C:\WINDOWS\system32\CURITY~1\mmc.exe
Infected with: Trojan.Purityad.CQ
C:\WINDOWS\system32\CURITY~1\mmc.exe
Disinfection failed
C:\WINDOWS\system32\CURITY~1\mmc.exe
Deleted
C:\WINDOWS\tool1.exe
Infected with: Dropped:Trojan.SpamTool.E
C:\WINDOWS\tool1.exe
Disinfection failed
C:\WINDOWS\tool1.exe
Deleted
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
UPX! 8/22/2004 4:04:56 PM 69120 C:\WINDOWS\daemon.dll
UPX! 12/26/2004 3:42:36 PM 24197 C:\WINDOWS\setfgi.dll
UPX! 12/17/2004 7:04:02 PM 24197 C:\WINDOWS\ssysprs.dll
Checking %System% folder...
SAHAgent 10/22/2005 9:06:58 AM 32 C:\WINDOWS\SYSTEM32\28ic7gv3.ini
SAHAgent 10/22/2005 9:06:58 AM 32 C:\WINDOWS\SYSTEM32\abasa5jrp.ini
aspack 3/18/2005 4:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/29/2002 4:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 12/7/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 12/7/2005 9:05:52 AM 573952 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/20/2004 3:56:24 PM 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 11:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 1/29/2003 1:10:06 AM 7168 C:\WINDOWS\SYSTEM32\ogg.dll
Umonitor 8/3/2004 11:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/29/2003 1:10:06 AM 46592 C:\WINDOWS\SYSTEM32\vorbis.dll
winsync 8/29/2002 4:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
UPX! 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 1/16/2006 9:21:52 AM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/25/2006 6:11:08 PM S 2048 C:\WINDOWS\bootstat.dat
1/23/2006 10:38:02 PM H 54156 C:\WINDOWS\QTFont.qfn
1/16/2006 1:01:00 PM H 25200 C:\WINDOWS\Help\mplayer2.GID
1/16/2006 12:15:46 PM H 0 C:\WINDOWS\inf\oem27.inf
12/31/2005 9:14:52 PM H 0 C:\WINDOWS\inf\oem40.inf
1/16/2006 8:17:00 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_12.cab
11/30/2005 8:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 4:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 3:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/25/2006 6:10:58 PM H 8192 C:\WINDOWS\system32\config\default.LOG
1/25/2006 6:11:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/25/2006 6:11:08 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/25/2006 6:11:24 PM H 65536 C:\WINDOWS\system32\config\software.LOG
1/25/2006 6:11:14 PM H 995328 C:\WINDOWS\system32\config\system.LOG
1/16/2006 1:37:38 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
1/19/2006 7:00:48 AM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
1/19/2006 7:00:48 AM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/16/2006 3:01:58 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/19/2006 7:00:48 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
1/19/2006 7:00:48 AM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
1/16/2006 3:01:58 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
12/31/2005 6:33:46 PM RHS 4256 C:\WINDOWS\system32\drivers\HP_DF216A-ABA S4300NX NA210_YW_Pres_QMXK320_E33NAheRED4 _4_I P4SD-LA _SASUSTeK Computer INC._VRev 1.xx_B3.06_T030508_WXH1_L409_M504_J120_7Intel_8Pentium 4_92.4_1104C8023_N10EC8139_P_Z11C1044E_K_A808624D5_U808624D2_G80862572.MRK
12/31/2005 9:08:08 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\6cb53062-9bbb-4b16-9fbf-e0e483c2b59a
12/31/2005 9:08:08 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\014a6e47-9d20-4981-a436-7237dbb5a307
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0d6c9397-ca47-4ad4-a0ce-b967c2bf5ddd
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\36b0b96f-7542-48b1-9fe6-96fcf5b45637
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4694f395-49c1-4004-95b8-af71ae978473
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4954a6f4-9fb4-4224-a93b-5f88679a3bf6
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\73e42a94-41ab-4541-a377-03313a0225be
12/31/2005 6:09:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7c4da840-f2b1-4e94-9b4a-af56ef53bc40
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\bd8c80e2-2d09-4907-be61-8dabd81203e0
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c21df015-7f20-40c8-bfa0-753016175c03
12/31/2005 6:09:02 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\cc8b3ad8-85c3-451e-a555-e6127dad815c
12/31/2005 6:09:02 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/25/2006 6:10:04 PM H 6 C:\WINDOWS\Tasks\SA.DAT
12/31/2005 6:25:24 PM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0J7SYKRI\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6DQDGVSJ\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GK7RU2CK\desktop.ini
12/31/2005 6:25:24 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XGTT0CCZ\desktop.ini
Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
11/11/1999 8:11:00 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 8/20/2004 3:53:06 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/24/2005 7:30:52 PM 14336 C:\WINDOWS\SYSTEM32\infocardcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/29/2002 4:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Realtek Semiconductor Corp. 2/17/2004 5:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL
Intel Corporation 3/11/2003 4:18:48 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\ALSNDMGR.CPL
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\ALSNDMGR.CPL
Realtek Semiconductor Corp. 3/11/2003 4:21:40 PM 3554304 C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\ALSNDMGR.CPL
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
4/10/2003 1:49:46 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/9/2003 6:41:42 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/23/2005 12:42:16 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
4/10/2003 1:49:46 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
4/9/2003 6:41:42 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
12/6/2005 9:32:04 PM 80 C:\Documents and Settings\Owner\Application Data\diggtray.data
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 C:\WINDOWS\system32\ps2.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
hpsysdrv c:\windows\system\hpsysdrv.exe
HostManager C:\Program Files\Common Files\AOL\1136953129\ee\AOLSoftware.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
AlcxMonitor ALCXMNTR.EXE
IgfxTray C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NVIEW rundll32.exe nview.dll,nViewLoadHook
Yahoo! Pager C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/25/2006 6:22:27 PM
#25
Posted 26 January 2006 - 04:23 AM
Go back to Safe Mode and Open Pocket Killbox.
Copy&Paste each entry below,one at a time,into Killbox
C:\WINDOWS\setfgi.dll
C:\WINDOWS\ssysprs.dll
C:\WINDOWS\system32\msctl32.dll
C:\WINDOWS\tool1.exe
C:\WINDOWS\SYSTEM32\28ic7gv3.ini
C:\WINDOWS\SYSTEM32\abasa5jrp.ini
C:\WINDOWS\system32\CURITY~1\mmc.exe
C:\Program Files\Common Files\win61.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
As you paste each entry in,place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"
Click the Red Circle with the White X in the Middle to Delete
Confirm that every entry was either deleted or did not exist.
Restart Normal and Download The Hoster from here:
http://www.funkytoad...load/hoster.zip
Right Click the Zip Folder and Select "Extract All"
Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled
Click "Back up Host files"
Press "Restore Original Hosts" and press "OK"
Exit the Program.
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Copy&Paste each entry below,one at a time,into Killbox
C:\WINDOWS\setfgi.dll
C:\WINDOWS\ssysprs.dll
C:\WINDOWS\system32\msctl32.dll
C:\WINDOWS\tool1.exe
C:\WINDOWS\SYSTEM32\28ic7gv3.ini
C:\WINDOWS\SYSTEM32\abasa5jrp.ini
C:\WINDOWS\system32\CURITY~1\mmc.exe
C:\Program Files\Common Files\win61.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\secure32[1].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SV2NTSPN\tool2[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\tool1[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\hosts[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\tool4[1].txt
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\paytime[1].txt
C:\Documents and Settings\Owner\Local Settings\Temp\tBmp407.exe
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\EMU. & ROMS\Emulator Pack - All Consoles [XBOX.PS2.PSX.DC.N64.GBA.GB.WS.NGP.SS.SFC.FC.GG.MD.MAME.PC88.PCE].zip
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-42169ffb.zip
As you paste each entry in,place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"
Click the Red Circle with the White X in the Middle to Delete
Confirm that every entry was either deleted or did not exist.
Restart Normal and Download The Hoster from here:
http://www.funkytoad...load/hoster.zip
Right Click the Zip Folder and Select "Extract All"
Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled
Click "Back up Host files"
Press "Restore Original Hosts" and press "OK"
Exit the Program.
Please do an online scan with Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Scan Mail Bases - Click OK
- Now under select a target to scan:Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
#26
Posted 27 January 2006 - 07:03 PM
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 27, 2006 17:01:45
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/01/2006
Kaspersky Anti-Virus database records: 162858
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 205067
Number of viruses found: 13
Number of infected objects: 46
Number of suspicious objects: 1
Duration of the scan process: 11337 sec
Infected Object Name - Virus Name
C:\!KillBox\setfgi.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\ssysprs.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe Infected: Trojan.Win32.VB.aft
C:\Program Files\apsi\rawh\!update-2724.0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\Program Files\Microsoft AntiSpyware\Quarantine\C354EA9E-C068-456E-891D-E0D327\9771525F-80B5-44B0-BC24-B1E4FA Infected: Trojan-Downloader.Win32.PurityScan.at
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026280.dll Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026282.exe Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026305.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026306.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009315.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009316.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009317.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009318.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009319.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009320.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009321.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009322.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009323.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009324.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009325.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009326.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009327.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009328.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009329.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009330.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009331.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009332.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009333.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009334.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009335.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\!update-2724[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\!update-2324[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\!update-2604[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.at
C:\WINDOWS\system32\dedi.dll Infected: Trojan.Win32.StartPage.vr
C:\WINDOWS\system32\drivers\i386p.sys Infected: SpamTool.Win32.Mailbot.w
C:\WINDOWS\system32\drivers\swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\WINDOWS\system32\GS2.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS2.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS2.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\mchschap.exe Infected: Trojan.Win32.Crypt.t
Scan process completed.
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 27, 2006 17:01:45
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/01/2006
Kaspersky Anti-Virus database records: 162858
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 205067
Number of viruses found: 13
Number of infected objects: 46
Number of suspicious objects: 1
Duration of the scan process: 11337 sec
Infected Object Name - Virus Name
C:\!KillBox\setfgi.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\ssysprs.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe Infected: Trojan.Win32.VB.aft
C:\Program Files\apsi\rawh\!update-2724.0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\Program Files\Microsoft AntiSpyware\Quarantine\C354EA9E-C068-456E-891D-E0D327\9771525F-80B5-44B0-BC24-B1E4FA Infected: Trojan-Downloader.Win32.PurityScan.at
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026280.dll Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026282.exe Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026305.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026306.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009315.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009316.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009317.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009318.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009319.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009320.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009321.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009322.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009323.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009324.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009325.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009326.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009327.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009328.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009329.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009330.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009331.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009332.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009333.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009334.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009335.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\!update-2724[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\!update-2324[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\!update-2604[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.at
C:\WINDOWS\system32\dedi.dll Infected: Trojan.Win32.StartPage.vr
C:\WINDOWS\system32\drivers\i386p.sys Infected: SpamTool.Win32.Mailbot.w
C:\WINDOWS\system32\drivers\swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\WINDOWS\system32\GS2.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS2.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\GS2.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\WINDOWS\system32\mchschap.exe Infected: Trojan.Win32.Crypt.t
Scan process completed.
#27
Posted 28 January 2006 - 09:55 AM
If you will,go to this Upload Site
Upload these files
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe
C:\WINDOWS\system32\drivers\swmrdpdr.sys
Go into Safe Mode and Be sure Windows is Showing Hidden Files.
http://www.bleepingc...al62.html#winxp
Open Pocket Killbox-> Copy&Paste each entry below,one at a time,into Killbox.
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe
C:\WINDOWS\system32\dedi.dll
C:\WINDOWS\system32\GS2.exe
C:\WINDOWS\system32\mchschap.exe
C:\WINDOWS\system32\drivers\i386p.sys
C:\WINDOWS\system32\drivers\swmrdpdr.sys
C:\Program Files\apsi
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK
As you paste each entry in,place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"
Click the Red Circle with the White X in the Middle to Delete
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
C:\Temp
C:\Windows\Temp
C:\Documents and Settings\Owner\Local Settings\Temp
C:\Documents and Settings\<Your Profile>\Local Settings\Temp
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp
Empty your "Recycle Bin"
Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)
Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)
Restart Normal and Scan once more with Kaspersky Online Scanner.
Post those resutls in the next reply.
Upload these files
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe
C:\WINDOWS\system32\drivers\swmrdpdr.sys
Go into Safe Mode and Be sure Windows is Showing Hidden Files.
http://www.bleepingc...al62.html#winxp
Open Pocket Killbox-> Copy&Paste each entry below,one at a time,into Killbox.
C:\Documents and Settings\Owner\Local Settings\Temp\mchschap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\mdwrm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Nat2.exe
C:\WINDOWS\system32\dedi.dll
C:\WINDOWS\system32\GS2.exe
C:\WINDOWS\system32\mchschap.exe
C:\WINDOWS\system32\drivers\i386p.sys
C:\WINDOWS\system32\drivers\swmrdpdr.sys
C:\Program Files\apsi
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK
As you paste each entry in,place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"
Click the Red Circle with the White X in the Middle to Delete
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
C:\Temp
C:\Windows\Temp
C:\Documents and Settings\Owner\Local Settings\Temp
C:\Documents and Settings\<Your Profile>\Local Settings\Temp
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp
Empty your "Recycle Bin"
Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)
Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)
Restart Normal and Scan once more with Kaspersky Online Scanner.
Post those resutls in the next reply.
Edited by Cretemonster, 28 January 2006 - 09:56 AM.
#28
Posted 29 January 2006 - 11:09 PM
i just sent the files, i deleted all the files except for hsperfdata_Owner, it said it was in use but im not sure whats using it.
#29
Posted 30 January 2006 - 08:45 AM
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 30, 2006 06:43:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/01/2006
Kaspersky Anti-Virus database records: 173848
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 195988
Number of viruses found: 25
Number of infected objects: 77
Number of suspicious objects: 3
Duration of the scan process: 10732 sec
Infected Object Name - Virus Name
C:\!KillBox\apsi\rawh\!update-2724.0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\!KillBox\dedi.dll Infected: Trojan.Win32.StartPage.vr
C:\!KillBox\GS2.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\GS2.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\GS2.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\i386p.sys Infected: SpamTool.Win32.Mailbot.w
C:\!KillBox\LKHHAT9O\!update-2724[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\!KillBox\mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\!KillBox\mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\!KillBox\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\!KillBox\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\!KillBox\Nat2.exe Infected: Trojan.Win32.VB.aft
C:\!KillBox\setfgi.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\ssysprs.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\!KillBox\W0A3Q2ZK\!update-2324[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\!KillBox\W0A3Q2ZK\!update-2604[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.at
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/WINDOWS/system32/drivers/swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\Documents and Settings\Owner\Desktop\chromo.cab Infected: Rootkit.Win32.Agent.ao
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers\spyblocs_serial.exe/data0003 Infected: not-a-virus:AdWare.Win32.Locator.e
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers\spyblocs_serial.exe Infected: not-a-virus:AdWare.Win32.Locator.e
C:\Program Files\Microsoft AntiSpyware\Quarantine\C354EA9E-C068-456E-891D-E0D327\9771525F-80B5-44B0-BC24-B1E4FA Infected: Trojan-Downloader.Win32.PurityScan.at
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002829.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026280.dll Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026281.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dl
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026282.exe Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026305.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026306.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026558.dll Infected: Trojan.Win32.StartPage.vr
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026560.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026561.sys Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026562.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009314.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009314.exe Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009315.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009316.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009317.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009318.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009319.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009320.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009321.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009322.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009323.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009324.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009325.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009326.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009327.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009328.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009329.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009330.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009331.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009332.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009333.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009334.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009335.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009339.exe Infected: not-a-virus:AdWare.Win32.ShopNav.l
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe/data0002 Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\WINDOWS\package8032_SIAC.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\WINDOWS\package8032_SIAC.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\WINDOWS\package8032_SIAC.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\system32\dnscore.dll Infected: not-a-virus:AdWare.Win32.MediaBack.a
C:\WINDOWS\system32\WіnSxS\winlogon.exe Infected: not-a-virus:AdWare.Win32.PurityScan.bv
Scan process completed.
KASPERSKY ON-LINE SCANNER REPORT
Monday, January 30, 2006 06:43:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/01/2006
Kaspersky Anti-Virus database records: 173848
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 195988
Number of viruses found: 25
Number of infected objects: 77
Number of suspicious objects: 3
Duration of the scan process: 10732 sec
Infected Object Name - Virus Name
C:\!KillBox\apsi\rawh\!update-2724.0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\!KillBox\dedi.dll Infected: Trojan.Win32.StartPage.vr
C:\!KillBox\GS2.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\GS2.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\GS2.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\!KillBox\i386p.sys Infected: SpamTool.Win32.Mailbot.w
C:\!KillBox\LKHHAT9O\!update-2724[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.br
C:\!KillBox\mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\!KillBox\mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\!KillBox\Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\!KillBox\Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\!KillBox\Nat2.exe Infected: Trojan.Win32.VB.aft
C:\!KillBox\setfgi.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\ssysprs.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\!KillBox\swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\!KillBox\W0A3Q2ZK\!update-2324[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.ak
C:\!KillBox\W0A3Q2ZK\!update-2604[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.at
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/mchschap.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/mdwrm.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe/Explorer.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe/{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/Documents and Settings/Owner/Local Settings/Temp/Nat2.exe Infected: Trojan.Win32.VB.aft
C:\Documents and Settings\Owner\Desktop\chromo.cab/C:/WINDOWS/system32/drivers/swmrdpdr.sys Suspicious: Rootkit.Win32.Agent.ao
C:\Documents and Settings\Owner\Desktop\chromo.cab Infected: Rootkit.Win32.Agent.ao
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers\spyblocs_serial.exe/data0003 Infected: not-a-virus:AdWare.Win32.Locator.e
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers\spyblocs_serial.exe Infected: not-a-virus:AdWare.Win32.Locator.e
C:\Program Files\Microsoft AntiSpyware\Quarantine\C354EA9E-C068-456E-891D-E0D327\9771525F-80B5-44B0-BC24-B1E4FA Infected: Trojan-Downloader.Win32.PurityScan.at
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP10\A0002829.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026280.dll Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026281.exe Infected: not-a-virus:AdWare.Win32.PurityScan.dl
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP143\A0026282.exe Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026305.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP145\A0026306.dll Infected: Trojan-Downloader.Win32.Agent.fc
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026558.dll Infected: Trojan.Win32.StartPage.vr
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026559.exe Infected: Trojan-Dropper.Win32.VB.kk
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026560.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026561.sys Infected: SpamTool.Win32.Mailbot.w
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP148\A0026562.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009302.exe Infected: Trojan-Downloader.Win32.IstBar.nn
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009307.exe Infected: not-a-virus:AdWare.Win32.CASClient.e
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009314.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009314.exe Infected: not-a-virus:AdWare.Win32.EZula.ak
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009315.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009316.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009317.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009318.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009319.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009320.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009321.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009322.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009323.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009324.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009325.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009326.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009327.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009328.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009329.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009330.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009331.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009332.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009333.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009334.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009335.INI:twouk:$DATA Infected: Trojan-Downloader.Win32.Agent.an
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009339.exe Infected: not-a-virus:AdWare.Win32.ShopNav.l
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe/data0002 Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP85\A0009340.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.b
C:\WINDOWS\package8032_SIAC.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\WINDOWS\package8032_SIAC.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l
C:\WINDOWS\package8032_SIAC.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\package8032_SIAC.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\WINDOWS\system32\dnscore.dll Infected: not-a-virus:AdWare.Win32.MediaBack.a
C:\WINDOWS\system32\WіnSxS\winlogon.exe Infected: not-a-virus:AdWare.Win32.PurityScan.bv
Scan process completed.
#30
Posted 04 February 2006 - 07:32 AM
My apologies,I got called out of town on emergency buisness.
Go back to Safe Mode,Run each entry below through Killbox
C:\WINDOWS\package8032_SIAC.exe
C:\WINDOWS\system32\dnscore.dll
C:\WINDOWS\system32\WіnSxS\winlogon.exe
C:\Documents and Settings\Owner\Desktop\chromo.cab
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers
As you paste each in,place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
Click the Red Circle with the White X in the Middle to Delete
While in Safe Mode,be sure Windows is Showing Hidden Files and Folders
http://www.bleepingc...al62.html#winxp
Navigate to this folder-> C:\WINDOWS\system32\WіnSxS
Make me a list of everything you see inside that folder,please.
Restart Normal and post the list from that folder.
Go back to Safe Mode,Run each entry below through Killbox
C:\WINDOWS\package8032_SIAC.exe
C:\WINDOWS\system32\dnscore.dll
C:\WINDOWS\system32\WіnSxS\winlogon.exe
C:\Documents and Settings\Owner\Desktop\chromo.cab
C:\Documents and Settings\Owner\Desktop\DARK_NINJA\misc\spy blockers
As you paste each in,place a tick by any of these selections available
"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
Click the Red Circle with the White X in the Middle to Delete
While in Safe Mode,be sure Windows is Showing Hidden Files and Folders
http://www.bleepingc...al62.html#winxp
Navigate to this folder-> C:\WINDOWS\system32\WіnSxS
Make me a list of everything you see inside that folder,please.
Restart Normal and post the list from that folder.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users