Regarding my question with the other computer, do you want me to post a HIjackthis log into this same thread? If so that would be great.
Firefox spyware please help [RESOLVED]
Started by
brain1212
, Jan 05 2008 11:04 AM
-
This topic is locked
#16
Posted 10 February 2008 - 10:12 AM
brain1212
- Topic Starter
-
- Member
-
- 14 posts
Member
Regarding my question with the other computer, do you want me to post a HIjackthis log into this same thread? If so that would be great.
#17
Posted 10 February 2008 - 10:17 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Oops forgot there is no restore under 2000, ignore that part
Yep post the second log here and I will run with it
Yep post the second log here and I will run with it
#18
Posted 10 February 2008 - 10:22 AM
brain1212
- Topic Starter
-
- Member
-
- 14 posts
Member
Ok here is the HiJackThis Log from the other computer:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:29 AM, on 2/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search...k=sbar1_srchbtn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FE71D474-704B-5E76-FA99-6875E7DEAFFF} - C:\WINDOWS\Rddjrbfy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...&expId=5087
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 3537 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:29 AM, on 2/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search...k=sbar1_srchbtn
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FE71D474-704B-5E76-FA99-6875E7DEAFFF} - C:\WINDOWS\Rddjrbfy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...&expId=5087
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 3537 bytes
#19
Posted 10 February 2008 - 10:40 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
First thing I see on this one is no Antivirus but you have Limewire this is a bad combination 
. There are several free antiviruses available to choose from.
Here are the installation instructions for the one I use, if after a while you do not like it you can uninstall it and install the other free one AVG
First you have to download an antivirus. This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer.
Please go HERE and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!
Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.
You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No
Now you have to restart your machine, select Restart and then click Finish.
After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.
VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.
You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.
After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus
Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.
After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial HERE it may make it easier to you to follow the steps.
Next, choose
Now avast! will restart your computer and start to scan before Windows fully loads.
IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.
The boot log will be located here C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt
THEN
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {FE71D474-704B-5E76-FA99-6875E7DEAFFF} - C:\WINDOWS\Rddjrbfy.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
FINALLY FOR NOW
Download ComboFix from Here or Here to your Desktop.
Logs required : AswBoot.txt and Combofix
. There are several free antiviruses available to choose from.Here are the installation instructions for the one I use, if after a while you do not like it you can uninstall it and install the other free one AVG
First you have to download an antivirus. This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer.
Please go HERE and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!
Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.
You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No
Now you have to restart your machine, select Restart and then click Finish.
After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.
VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.
You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.
After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus
Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.
After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial HERE it may make it easier to you to follow the steps.
Next, choose
- Scan all local disks
- scan archive files
- click on Schedule
Now avast! will restart your computer and start to scan before Windows fully loads.
IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.
The boot log will be located here C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt
THEN
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {FE71D474-704B-5E76-FA99-6875E7DEAFFF} - C:\WINDOWS\Rddjrbfy.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmai..._downloader.cab
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
FINALLY FOR NOW
Download ComboFix from Here or Here to your Desktop.
- Double click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Logs required : AswBoot.txt and Combofix
#20
Posted 10 February 2008 - 01:23 PM
brain1212
- Topic Starter
-
- Member
-
- 14 posts
Member
Wow that took a long time.
With the Avast scan I had a lot of errors such as "Object Name Not Found" and "File Not Packed" and the only thing I could do is "ignore". I could not "Move To Chest" or "Delete".
ASWBoot Log:
02/10/2008 12:22
Scan of all local drives
File C:\WINDOWS\system32\prutcct.exe is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\julie.exe is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\06wu29rd.exe is infected by Win32:Trojano-522 [Trj], Moved to chest
File C:\WINDOWS\system32\sd.exe is infected by Win32:Trojan-gen {VC}, Moved to chest
File C:\WINDOWS\system32\449166.exe\$SYSDIR\winb2s32.dll is infected by Win32:Adan-008 [Adw], Moved to chest
File C:\WINDOWS\system32\449166.exe\$SYSDIR\reg6523.exe is infected by Win32:Adware-gen [Adw], Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}
File C:\WINDOWS\system32\AANTX.dll is infected by Win32:Superlogy [Adw], Moved to chest
File C:\WINDOWS\system32\exul.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\WINDOWS\system32\nvms.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\system32\SplWbr.dll\[Embedded#03000] is infected by Win32:Agent-CGH [Trj], Moved to chest
File C:\WINDOWS\system32\SplWbr.dll\[Embedded#25048] is infected by Win32:Adware-gen [Adw], Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}
File C:\WINDOWS\system32\SplWbr.dll is infected by Win32:Small-FU [Trj], Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\WINDOWS\system32\istinstall_154074.exe is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\WinExplore.exe is infected by Win32:Trojan-gen {VB}, Moved to chest
File C:\WINDOWS\system32\thinInstOIT61MegaV2s.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\WrapperOuter_exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\WINDOWS\system32\SHAgentNew.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\msbb321.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\tvmk21.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\TVM_B5_Bundle_21.EXE\[Embedded#0a60] is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\TVM_B5_Bundle_21.EXE is infected by Win32:Trojano-620 [Trj], Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\WINDOWS\system32\ezStub.exe is infected by Win32:Ezula [Adw], Moved to chest
File C:\WINDOWS\system32\javexulm.vxd is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\WINDOWS\msbe.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\nvms.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\mscb.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\MM32.exe is infected by Win32:Small-MQ [Trj], Moved to chest
File C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Professional_32_1033.cab\rcBuddy.cab\monitor_left.gif Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Professional_32_1033.cab\rcBuddy.cab Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Administrator\Desktop\old stuff\New Folder\VMOPATCH.EXE\%MAINDIR%\vmo.exe Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Administrator\Desktop\New Folder\VMOPATCH.EXE\%MAINDIR%\vmo.exe Error 42146 {Installer archive is corrupted.}
File C:\Program Files\AIM\Sysfiles\WxBug.EXE\Wise0008.bin\[Embedded#13b50] is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Program Files\AIM\Sysfiles\WxBug.EXE\Wise0008.bin is infected by Win32:Adware-gen [Adw], Move to chest: Error 42010 {File is not packed.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42010 {File is not packed.}, Move: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100340.dll is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100344.exe is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100345.exe is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100346.exe is infected by Win32:Trojano-522 [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100347.exe is infected by Win32:Trojan-gen {VC}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100348.exe\$SYSDIR\winb2s32.dll is infected by Win32:Adan-008 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100348.exe\$SYSDIR\reg6523.exe is infected by Win32:Adware-gen [Adw], Delete: Error 42010 {File is not packed.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100349.dll is infected by Win32:Superlogy [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100350.exe is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100351.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100352.dll\[Embedded#03000] is infected by Win32:Agent-CGH [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100352.dll\[Embedded#25048] is infected by Win32:Adware-gen [Adw], Delete: Error 42010 {File is not packed.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100352.dll is infected by Win32:Small-FU [Trj], Delete: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100353.exe is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100354.exe is infected by Win32:Trojan-gen {VB}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100355.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100356.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100357.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100358.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100359.EXE\[Embedded#0a60] is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100359.EXE is infected by Win32:Trojano-620 [Trj], Delete: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100360.exe is infected by Win32:Ezula [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100361.vxd is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100362.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100363.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100364.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100365.exe is infected by Win32:Small-MQ [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100366.EXE\Wise0008.bin\[Embedded#13b50] is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100366.EXE\Wise0008.bin is infected by Win32:Adware-gen [Adw], Delete: Error 42010 {File is not packed.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42010 {File is not packed.}
Number of searched folders: 2336
Number of tested files: 159007
Number of infected files: 58
-----------------------------------------------------------------
------------------------------------------------------
----------------------------------------------
ComboFix Log:
ComboFix 08-02.05.3 - Administrator 2008-02-10 14:13:36.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.87 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.
2008-02-10 11:48 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-10 11:48 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-10 11:48 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-10 11:48 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-10 11:48 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-10 11:48 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-10 11:47 . 2008-02-10 11:47 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 11:47 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-02-10 11:47 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-10 11:47 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-10 11:23 . 2008-02-10 11:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 11:19 . 2008-02-10 11:19 <DIR> d-------- C:\Downloads
2008-02-07 11:09 . 2001-08-17 14:03 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-19 18:55 . 2008-01-19 18:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\123 Free Solitaire
2008-01-19 18:54 . 2008-01-19 18:54 <DIR> d-------- C:\Program Files\123 Free Solitaire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-08 16:01 62,424 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-04-02 23:42 346,196 ----a-w C:\Documents and Settings\Administrator\Application Data\tvmknwrd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09 57344]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 13:41 33792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 12:11]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\System32\drivers\HCWBT8XX.sys [2004-10-08 15:04]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 14:16:03
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-10 14:17:15
--------------------------------------------------
---------------------------------------------
-----------------------------------------
New HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:59 PM, on 2/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...&expId=5087
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 3411 bytes
With the Avast scan I had a lot of errors such as "Object Name Not Found" and "File Not Packed" and the only thing I could do is "ignore". I could not "Move To Chest" or "Delete".
ASWBoot Log:
02/10/2008 12:22
Scan of all local drives
File C:\WINDOWS\system32\prutcct.exe is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\julie.exe is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\06wu29rd.exe is infected by Win32:Trojano-522 [Trj], Moved to chest
File C:\WINDOWS\system32\sd.exe is infected by Win32:Trojan-gen {VC}, Moved to chest
File C:\WINDOWS\system32\449166.exe\$SYSDIR\winb2s32.dll is infected by Win32:Adan-008 [Adw], Moved to chest
File C:\WINDOWS\system32\449166.exe\$SYSDIR\reg6523.exe is infected by Win32:Adware-gen [Adw], Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}
File C:\WINDOWS\system32\AANTX.dll is infected by Win32:Superlogy [Adw], Moved to chest
File C:\WINDOWS\system32\exul.exe is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\WINDOWS\system32\nvms.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\system32\SplWbr.dll\[Embedded#03000] is infected by Win32:Agent-CGH [Trj], Moved to chest
File C:\WINDOWS\system32\SplWbr.dll\[Embedded#25048] is infected by Win32:Adware-gen [Adw], Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}
File C:\WINDOWS\system32\SplWbr.dll is infected by Win32:Small-FU [Trj], Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\WINDOWS\system32\istinstall_154074.exe is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\WinExplore.exe is infected by Win32:Trojan-gen {VB}, Moved to chest
File C:\WINDOWS\system32\thinInstOIT61MegaV2s.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\WrapperOuter_exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\WINDOWS\system32\SHAgentNew.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\msbb321.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\tvmk21.dll is infected by Win32:Small-FU [Trj], Moved to chest
File C:\WINDOWS\system32\TVM_B5_Bundle_21.EXE\[Embedded#0a60] is infected by Win32:Trojan-gen {UPX}, Moved to chest
File C:\WINDOWS\system32\TVM_B5_Bundle_21.EXE is infected by Win32:Trojano-620 [Trj], Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\WINDOWS\system32\ezStub.exe is infected by Win32:Ezula [Adw], Moved to chest
File C:\WINDOWS\system32\javexulm.vxd is infected by Win32:Spyware-gen [Trj], Moved to chest
File C:\WINDOWS\msbe.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\nvms.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\mscb.dll is infected by Win32:Adan-022 [Adw], Moved to chest
File C:\WINDOWS\MM32.exe is infected by Win32:Small-MQ [Trj], Moved to chest
File C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Professional_32_1033.cab\rcBuddy.cab\monitor_left.gif Error 42127 {CAB archive is corrupted.}
File C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Professional_32_1033.cab\rcBuddy.cab Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Administrator\Desktop\old stuff\New Folder\VMOPATCH.EXE\%MAINDIR%\vmo.exe Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Administrator\Desktop\New Folder\VMOPATCH.EXE\%MAINDIR%\vmo.exe Error 42146 {Installer archive is corrupted.}
File C:\Program Files\AIM\Sysfiles\WxBug.EXE\Wise0008.bin\[Embedded#13b50] is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Program Files\AIM\Sysfiles\WxBug.EXE\Wise0008.bin is infected by Win32:Adware-gen [Adw], Move to chest: Error 42010 {File is not packed.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42010 {File is not packed.}, Move: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100340.dll is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100344.exe is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100345.exe is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100346.exe is infected by Win32:Trojano-522 [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100347.exe is infected by Win32:Trojan-gen {VC}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100348.exe\$SYSDIR\winb2s32.dll is infected by Win32:Adan-008 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100348.exe\$SYSDIR\reg6523.exe is infected by Win32:Adware-gen [Adw], Delete: Error 42010 {File is not packed.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100349.dll is infected by Win32:Superlogy [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100350.exe is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100351.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100352.dll\[Embedded#03000] is infected by Win32:Agent-CGH [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100352.dll\[Embedded#25048] is infected by Win32:Adware-gen [Adw], Delete: Error 42010 {File is not packed.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100352.dll is infected by Win32:Small-FU [Trj], Delete: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100353.exe is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100354.exe is infected by Win32:Trojan-gen {VB}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100355.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100356.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100357.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100358.dll is infected by Win32:Small-FU [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100359.EXE\[Embedded#0a60] is infected by Win32:Trojan-gen {UPX}, Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100359.EXE is infected by Win32:Trojano-620 [Trj], Delete: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100360.exe is infected by Win32:Ezula [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100361.vxd is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100362.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100363.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100364.dll is infected by Win32:Adan-022 [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100365.exe is infected by Win32:Small-MQ [Trj], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100366.EXE\Wise0008.bin\[Embedded#13b50] is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{35006072-1C01-44E0-AD94-8E69F9A887C3}\RP772\A0100366.EXE\Wise0008.bin is infected by Win32:Adware-gen [Adw], Delete: Error 42010 {File is not packed.}, Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 42010 {File is not packed.}
Number of searched folders: 2336
Number of tested files: 159007
Number of infected files: 58
-----------------------------------------------------------------
------------------------------------------------------
----------------------------------------------
ComboFix Log:
ComboFix 08-02.05.3 - Administrator 2008-02-10 14:13:36.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.87 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.
2008-02-10 11:48 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-10 11:48 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-10 11:48 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-10 11:48 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-10 11:48 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-10 11:48 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-10 11:47 . 2008-02-10 11:47 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-10 11:47 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-02-10 11:47 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-10 11:47 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-10 11:23 . 2008-02-10 11:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 11:19 . 2008-02-10 11:19 <DIR> d-------- C:\Downloads
2008-02-07 11:09 . 2001-08-17 14:03 21,760 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-19 18:55 . 2008-01-19 18:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\123 Free Solitaire
2008-01-19 18:54 . 2008-01-19 18:54 <DIR> d-------- C:\Program Files\123 Free Solitaire
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-08 16:01 62,424 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2005-04-02 23:42 346,196 ----a-w C:\Documents and Settings\Administrator\Application Data\tvmknwrd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09 57344]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 13:41 33792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-08-17 12:11]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;C:\WINDOWS\System32\drivers\HCWBT8XX.sys [2004-10-08 15:04]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 14:16:03
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-10 14:17:15
--------------------------------------------------
---------------------------------------------
-----------------------------------------
New HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:59 PM, on 2/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...&expId=5087
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 3411 bytes
#21
Posted 10 February 2008 - 03:46 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Well looks like Avast took a lot out there and left combofix with nothing to do.. But they both missed one 
and I got it
Please download the OTMoveIt2 by OldTimer.
Now a deep search to make sure nothing was missed
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
and I got it Yep it was a full scan of your entire drive before windows was loaded. Shouldn't need to do that one againWow that took a long time.
That is to do with the way that some files are packed - not a problemWith the Avast scan I had a lot of errors such as "Object Name Not Found" and "File Not Packed" and the only thing I could do is "ignore". I could not "Move To Chest" or "Delete".
Please download the OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Documents and Settings\Administrator\Application Data\tvmknwrd.dll
- Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt2
Now a deep search to make sure nothing was missed
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Reg - BotCheck
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
#22
Posted 10 February 2008 - 04:47 PM
brain1212
- Topic Starter
-
- Member
-
- 14 posts
Member
What is your internet browser of choice? Im starting to see these programs scan IE files alot and not seeing so much Mozzilla Files. Is it in my best interest to use IE instead of Firefox? I use nothing but Firefox at the moment.
Here are the log files:
old timer log:
File/Folder C:\Documents and Settings\Administrator\Application Data\tvmknwrd.dll not found.
OTMoveIt2 v1.0.19 log created on 02102008_174103
WinPfind Log:
Here are the log files:
old timer log:
File/Folder C:\Documents and Settings\Administrator\Application Data\tvmknwrd.dll not found.
OTMoveIt2 v1.0.19 log created on 02102008_174103
WinPfind Log:
WinPFind35 logfile created on: 2/10/2008 5:44:38 PM
WinPFind35U Version Beta49 Folder = C:\Documents and Settings\Administrator\Desktop\WinPFind35u
Windows XP Professional Edition (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
254.55 Mb Total Physical Memory | 88.44 Mb Available Physical Memory | 34.74% Memory free
434.31 Mb Paging File | 261.83 Mb Available in Paging File | 60.29% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.93 Gb Total Space | 19.77 Gb Free Space | 70.77% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SHANNON
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
[Processes - Non-Microsoft Only]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:34 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr = ]
lxbbbmgr.exe -> %ProgramFiles%\Lexmark X74-X75\lxbbbmgr.exe -> Lexmark International, Inc. [Ver = 1.0.6.0 | Size = 57344 bytes | Modified Date = 10/14/2002 4:09:12 PM | Attr = ]
lxbbbmon.exe -> %ProgramFiles%\Lexmark X74-X75\lxbbbmon.exe -> Lexmark International, Inc. [Ver = 1.0.6.0 | Size = 49152 bytes | Modified Date = 10/14/2002 4:22:04 PM | Attr = ]
winampa.exe -> %ProgramFiles%\Winamp\winampa.exe -> [Ver = | Size = 33792 bytes | Modified Date = 12/20/2004 1:41:22 PM | Attr = ]
ashdisp.exe -> %SystemDrive%\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:24 AM | Attr = ]
aim.exe -> %SystemDrive%\PROGRA~1\AIM\aim.exe -> America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 8/5/2005 3:08:26 PM | Attr = ]
lexbces.exe -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 7.4 | Size = 303104 bytes | Modified Date = 10/14/2002 4:03:18 PM | Attr = ]
lexpps.exe -> %System32%\LEXPPS.EXE -> Lexmark International, Inc. [Ver = 7.4 | Size = 174592 bytes | Modified Date = 10/14/2002 4:00:42 PM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:02 AM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:54 AM | Attr = ]
winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 310272 bytes | Modified Date = 2/10/2008 1:10:14 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:34 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:54 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:02 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 7.4 | Size = 303104 bytes | Modified Date = 10/14/2002 4:03:18 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %SystemDrive%\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:24 AM | Attr = ]
Lexmark X74-X75 -> %ProgramFiles%\Lexmark X74-X75\lxbbbmgr.exe -> Lexmark International, Inc. [Ver = 1.0.6.0 | Size = 57344 bytes | Modified Date = 10/14/2002 4:09:12 PM | Attr = ]
WinampAgent -> %ProgramFiles%\Winamp\winampa.exe -> [Ver = | Size = 33792 bytes | Modified Date = 12/20/2004 1:41:22 PM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\System32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.msn.com/ ->
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.msn.com[] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. ->
.[msn] -> My Computer ->
objects_aol.com [*] -> Out of zone range - ( 5 ) ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Modified Date = 11/3/2003 2:17:44 PM | Attr = ]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{8E718888-423F-11D2-876E-00A0C9082467} [HKEY_LOCAL_MACHINE] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 11/8/2001 4:38:48 PM | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{40D41A8B-D79B-43D7-99A7-9EE0F344C385} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\AIM Toolbar\AIMBar.dll [AIM Search] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}:Exec -> %SystemDrive%\PROGRA~1\AIM\aim.exe [AIM] -> America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 8/5/2005 3:08:26 PM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
{6685509E-B47B-4f47-8E16-9A5F3A62F683}\\CLSID [HKEY_LOCAL_MACHINE] -> [{0000031A-0000-0000-C000-000000000046}] -> File not found
{6685509E-B47B-4f47-8E16-9A5F3A62F683}\\Default Visible [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}\\CLSID [HKEY_LOCAL_MACHINE] -> [{0000031A-0000-0000-C000-000000000046}] -> File not found
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}\\ClsidExtension [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}\\Default Visible [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{6685509E-B47B-4f47-8E16-9A5F3A62F683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\AIM\aim.exe [AIM] -> America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 8/5/2005 3:08:26 PM | Attr = ]
CmdMapping\\{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&AIM Search -> %ProgramFiles%\AIM Toolbar\AIMBar.dll -> File not found
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{4156D5E3-BE3E-4B7A-A23E-60C4E2FAEB42} -> () ->
{569AC65D-8C52-4755-8B82-84FE896DFC59} -> (Scientific-Atlanta WebSTAR 2000 series Cable Modem) ->
{B06E031A-A262-4E73-86D5-2360B9F3DCA9} -> (Linksys NC100 Fast Ethernet Adapter) ->
< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[Reg Error: Value does not exist or could not be read.] -> File not found
vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} [HKEY_LOCAL_MACHINE] -> %System32%\msdxm.ocx[AsyncPProt Class] -> [Ver = | Size = 844048 bytes | Modified Date = 11/8/2001 4:38:48 PM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{03F998B2-0E00-11D3-A498-00104B6EB52E}[HKEY_LOCAL_MACHINE] -> https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&4&04.00.07.02&unknown&unknown&http://aolexpressions.aol.com/testdrive.adp?clientId=2&expTypeId=1&catId=43&langCode=&subcatId=988&tm=824&expId=5087[Reg Error: Key does not exist or could not be opened.] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab[Java Plug-in 1.4.1_02] ->
{B9191F79-5613-4C76-AA2A-398534BB8999}[HKEY_LOCAL_MACHINE] -> http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[Reg Error: Key does not exist or could not be opened.] ->
{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab[Java Plug-in 1.4.1_02] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> (binary data) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
msv1_0 -> %System32%\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 108032 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> (binary data) ->
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages ->
kerberos -> %System32%\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 265216 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
msv1_0 -> %System32%\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 108032 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
schannel -> %System32%\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 133632 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
wdigest -> %System32%\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 46592 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 564 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->
scecli -> %System32%\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 174080 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder ->
Windows NT Access Provider -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> C:\WINDOWS\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 110080 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> C:\WINDOWS\System32\IISSUBA.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> C:\WINDOWS\System32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;NLA;RasMan;ALG; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 11477 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> C:\WINDOWS\System32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 453632 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll [139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll [445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll [137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll [138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll [1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll [2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\System32\wuauserv.dll [C:\WINDOWS\System32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.2600.0 (XPClient.010817-1148) | Size = 4096 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DependOnService ->
RPCSS -> %System32%\RPCSS.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 259072 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\DisplayName -> Remote Registry ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ImagePath -> C:\WINDOWS\system32\svchost.exe [%SystemRoot%\system32\svchost.exe -k LocalService] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\ObjectName -> NT AUTHORITY\LocalService ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Group -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\FailureActions -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters\\ServiceDll -> C:\WINDOWS\system32\regsvc.dll [%SystemRoot%\system32\regsvc.dll] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 51712 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\0 -> Root\LEGACY_REMOTEREGISTRY\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Type -> 16 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 3 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\System32\tlntsvr.exe [C:\WINDOWS\System32\tlntsvr.exe] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 60928 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet ->
*DependOnService* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService ->
RPCSS -> %System32%\RPCSS.dll -> Microsoft Corporation [Ver = 5.1.2600.0 (XPClient.010817-1148) | Size = 259072 bytes | Modified Date = 8/23/2001 12:00:00 PM | Attr = ]
TCPIP -> -> File not found
NTLMSSP -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> (binary data) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->
[Files/Folders - Created Within 30 days]
Downloads -> %SystemDrive%\Downloads -> [Folder | Created Date = 2/10/2008 11:19:37 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Created Date = 2/10/2008 5:40:16 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 2/10/2008 2:12:25 PM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Modified Date = 12/4/2007 9:56:02 AM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Modified Date = 12/4/2007 9:55:46 AM | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Modified Date = 12/4/2007 9:49:02 AM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Modified Date = 12/4/2007 9:51:52 AM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Modified Date = 12/4/2007 9:53:40 AM | Attr = ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 8:04:28 AM | Attr = ]
actskin4.ocx -> %System32%\actskin4.ocx -> [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Modified Date = 1/9/2004 4:13:58 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 95608 bytes | Modified Date = 12/4/2007 7:54:04 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
fdsv.exe -> %System32%\fdsv.exe -> Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
sed.exe -> %System32%\sed.exe -> [Ver = | Size = 98816 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
grep.exe -> %System32%\grep.exe -> [Ver = | Size = 80412 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
zip.exe -> %System32%\zip.exe -> [Ver = | Size = 68096 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 2/10/2008 2:12:55 PM | Attr = ]
9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
[Files/Folders - Modified Within 30 days]
Downloads -> %SystemDrive%\Downloads -> [Folder | Modified Date = 2/10/2008 11:19:38 AM | Attr = ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt -> [Folder | Modified Date = 2/10/2008 5:40:18 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 2/10/2008 2:12:26 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2184 bytes | Modified Date = 2/10/2008 11:54:22 AM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 2/10/2008 11:48:20 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 262 bytes | Modified Date = 2/10/2008 2:16:04 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 2/10/2008 2:12:56 PM | Attr = ]
9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
winamp.ini -> %SystemRoot%\winamp.ini -> [Ver = | Size = 1110 bytes | Modified Date = 1/20/2008 3:48:58 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2/10/2008 2:03:22 PM | Attr = S]
LEXSTAT.INI -> %SystemRoot%\LEXSTAT.INI -> [Ver = | Size = 652 bytes | Modified Date = 2/4/2008 6:54:54 PM | Attr = ]
Rddjrbfy.ini -> %SystemRoot%\Rddjrbfy.ini -> [Ver = | Size = 292 bytes | Modified Date = 1/31/2008 8:45:48 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2/10/2008 2:04:10 PM | Attr = H ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 5296 bytes | Modified Date = 2/10/2005 10:07:16 AM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4232 bytes | Modified Date = 2/22/2005 10:35:38 AM | Attr = ]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat -> [Ver = | Size = 4070 bytes | Modified Date = 9/30/2005 6:24:50 PM | Attr = ]
Perflib_Perfdata_474.dat -> C:\WINDOWS\Temp\Perflib_Perfdata_474.dat -> [Ver = | Size = 16384 bytes | Modified Date = 2/10/2008 2:04:10 PM | Attr = ]
< End of report >
#23
Posted 10 February 2008 - 04:59 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Personally I use IE7 as I find it has all the functionality of FF but is just as secure. However this is a horses for courses debate each to his ownWhat is your internet browser of choice? Im starting to see these programs scan IE files alot and not seeing so much Mozzilla Files. Is it in my best interest to use IE instead of Firefox? I use nothing but Firefox at the moment.
But with FF you need to ensure that your temp files are emptied regularly as some miscreants can hide there
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKEY_CURRENT_USER\] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
[Files/Folders - Created Within 30 days]
YY -> sed.exe -> %System32%\sed.exe
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
To ensure that FF temp files are emptied
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Logs required : Winpfind report and a new Hijackthis log, plus how is the system running now ?
#24
Posted 10 February 2008 - 07:28 PM
brain1212
- Topic Starter
-
- Member
-
- 14 posts
Member
Ok, I did the new code in WinPFind35 and a box came up asking me to "reboot" so I did. Well when windows restarted, nothing else happened (no log file or any other boxes).
Here is the new HiJack This Log File:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:51 PM, on 2/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...&expId=5087
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 3385 bytes
The Computer seems to be running a little bit smoother.
Here is the new HiJack This Log File:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:51 PM, on 2/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...l...&expId=5087
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 3385 bytes
The Computer seems to be running a little bit smoother.
#25
Posted 11 February 2008 - 12:31 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Looking good there so...................
First priority will be to get you updated to Service Pack 2 on this page you will have the option to download or order the Service Pack on CD. Your choice , but whichever option you choose ensure are malware free before installation SP2 does not play well with an infected system, before installation pop back here for a quick health check.
Now the best part of the day ----- Your log now appears clean
Double click Winpfind35 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself
Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:
1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE
You now have a clean restore point, to get rid of the bad ones:
1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
Keep safe
First priority will be to get you updated to Service Pack 2 on this page you will have the option to download or order the Service Pack on CD. Your choice , but whichever option you choose ensure are malware free before installation SP2 does not play well with an infected system, before installation pop back here for a quick health check.
Now the best part of the day ----- Your log now appears clean
Double click Winpfind35 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself
Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:
1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE
You now have a clean restore point, to get rid of the bad ones:
1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
- SpywareBlaster to help prevent spyware from installing in the first place.
To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
Keep safe
#26
Posted 12 February 2008 - 12:39 PM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
