Phew! finished at last
Unfortunately I could not save the Ewido report. I have no internet connection in safe mode and the file save did not transfer to normal mode.
Attached are all other logs requested
Everything seems ok but I have not yet tried logging out after completion of all steps.
Terry
Panda
Incident Status Location
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\DOCUME~1\TRegan\LOCALS~1\Temp\cfout.txt
Adware:Adware/Sqwire No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINNT\inst
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/SpywareNo No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\TRegan\Favorites\1111\1111.url
Adware:Adware/Beginto No disinfected C:\Documents and Settings\TRegan\Local Settings\Temporary Internet Files\Content.IE5\0AQ64NLG\sp[1].js
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\HJT\backups\backup-20050628-183604-738.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\HJT\backups\backup-20050629-102516-911.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\HJT\backups\backup-20050704-173438-696.dll
Adware:Adware/Sqwire No disinfected C:\RECYCLER\S-1-5-21-507921405-1708537768-839522115-500\Dc1\fkqqd\fkqqc.dll
Adware:Adware/ISearch No disinfected C:\WINNT\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINNT\deskbar.ini
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi
Adware:Adware/ISearch No disinfected C:\WINNT\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/Sqwire No disinfected C:\WINNT\system32\tsuninst.exe
MWAV
ue Jul 05 09:21:20 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Tue Jul 05 09:21:50 2005 => System found infected with SexList Spyware/Adware (_{CFBFAE00-17A6-11D0-99CB-00C04FD64497})! Action taken: No Action Taken.
Tue Jul 05 09:21:50 2005 => Object "SexList Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:21:51 2005 => System found infected with SideFind Spyware/Adware ({10e42047-deb9-4535-a118-b3f6ec39b807})! Action taken: No Action Taken.
Tue Jul 05 09:21:51 2005 => Object "SideFind Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:21:52 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Tue Jul 05 09:21:52 2005 => Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:03 2005 => Offending value found in HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\power scan !!!
Tue Jul 05 09:22:03 2005 => Object "Power scan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:05 2005 => Offending value found in HKCU\Software\Microsoft\Windows\CurrentVersion\policies\ameopt !!!
Tue Jul 05 09:22:05 2005 => Object "ameopt Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:05 2005 => Offending value found in HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\tsa !!!
Tue Jul 05 09:22:05 2005 => Offending value found in HKCU\Software\tsa !!!
Tue Jul 05 09:22:05 2005 => Object "tsa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:06 2005 => Offending value found in HKCU\Software\avenue media !!!
Tue Jul 05 09:22:06 2005 => Offending value found in HKCU\Software\policies\avenue media !!!
Tue Jul 05 09:22:06 2005 => Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:07 2005 => Offending Folder C:\PROGRA~1\180SEA~1 present...
Tue Jul 05 09:22:07 2005 => Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:17 2005 => Offending value found in HKCU\Software\WebSiteViewer !!!
Tue Jul 05 09:22:17 2005 => Offending Folder C:\PROGRA~1\WEBSIT~1 present...
Tue Jul 05 09:22:17 2005 => Object "WebSiteViewer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:38 2005 => System found infected with iSearch Spyware/Adware (patch.exe)! Action taken: No Action Taken.
Tue Jul 05 09:22:38 2005 => Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 05 09:22:38 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Tue Jul 05 09:22:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\internazionale_ver11.ocx". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\m67m.ocx". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\objsafe.tlb". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\logo.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\scribble.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\dot.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\mnature.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\hoverbot.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\will.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\powerpup.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:39 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Office\Actors\genius.act". Action Taken: No Action Taken.
Tue Jul 05 09:22:40 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:40 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\objsafe.tlb". Action Taken: No Action Taken.
Tue Jul 05 09:22:40 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\internazionale_ver11.ocx". Action Taken: No Action Taken.
Tue Jul 05 09:22:41 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\CONFLICT.1\ysbactivex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:41 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\CONFLICT.2\ysbactivex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:41 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\m67m.ocx". Action Taken: No Action Taken.
Tue Jul 05 09:22:41 2005 => Entry "HKCR\CLSID\{00020D05-0000-0000-C000-000000000046}" refers to invalid object "outex.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:42 2005 => Entry "HKCR\CLSID\{079aa557-4a18-424a-8eee-e39f0a8d41b9}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{2933BF90-7B36-11d2-B20E-00C04F983E60}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{2933BF91-7B36-11d2-B20E-00C04F983E60}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{2933BF94-7B36-11d2-B20E-00C04F983E60}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{3124c396-fb13-4836-a6ad-1317f1713688}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{31B6081F-7590-4A18-BEDF-E938294031D8}" refers to invalid object "C:\WINNT\System32\laca.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{373984C9-B845-449B-91E7-45AC83036ADE}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:44 2005 => Entry "HKCR\CLSID\{379E501F-B231-11d1-ADC1-00805FC752D8}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:45 2005 => Entry "HKCR\CLSID\{3d813dfe-6c91-4a4e-8f41-04346a841d9c}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:45 2005 => Entry "HKCR\CLSID\{3e784a01-f3ae-4dc0-9354-9526b9370eba}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:45 2005 => Entry "HKCR\CLSID\{4419DD31-28A5-11d2-AE08-0080C7337EA1}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:45 2005 => Entry "HKCR\CLSID\{48123bc4-99d9-11d1-a6b3-00c04fd91555}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:46 2005 => Entry "HKCR\CLSID\{4dd441ad-526d-4a77-9f1b-9841ed802fb0}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:46 2005 => Entry "HKCR\CLSID\{550dda30-0541-11d2-9ca9-0060b0ec3d39}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:46 2005 => Entry "HKCR\CLSID\{57B4B693-2388-11d3-8E39-0080C7ACC199}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:47 2005 => Entry "HKCR\CLSID\{5F3E04C3-4612-11D0-A113-00A024B50363}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAREG.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:47 2005 => Entry "HKCR\CLSID\{5F3E04C4-4612-11D0-A113-00A024B50363}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAMDMTR.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:47 2005 => Entry "HKCR\CLSID\{5F3E04C6-4612-11D0-A113-00A024B50363}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAREG.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:47 2005 => Entry "HKCR\CLSID\{649D583D-3401-11D1-8C47-0080C7C43E7F}" refers to invalid object "C:\Program Files\Microsoft Office\Office\1033\WFXRSTRZ.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:48 2005 => Entry "HKCR\CLSID\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}" refers to invalid object "C:\WINNT\Downloaded Program Files\m67m.ocx". Action Taken: No Action Taken.
Tue Jul 05 09:22:48 2005 => Entry "HKCR\CLSID\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}" refers to invalid object "C:\Program Files\Maxifiles\maxifiles.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:48 2005 => Entry "HKCR\CLSID\{79eac9c3-baf9-11ce-8c82-00aa004ba90b}" refers to invalid object "C:\WINNT\System32\hlinkprx.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:48 2005 => Entry "HKCR\CLSID\{7B49476B-CD0C-4D16-95D5-FE49CA3C8CAB}" refers to invalid object "C:\WINNT\System32\laca.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:48 2005 => Entry "HKCR\CLSID\{7E3FCEA1-31B4-11d2-AE1F-0080C7337EA1}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:49 2005 => Entry "HKCR\CLSID\{800DD100-DB43-11CE-914E-00A004000162}" refers to invalid object "C:\Program Files\Microsoft Office\Office\msspc32.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:50 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:50 2005 => Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:50 2005 => Entry "HKCR\CLSID\{AB481080-796C-11D0-A113-00A024B50363}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAABOUT.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:51 2005 => Entry "HKCR\CLSID\{afb40ffd-b609-40a3-9828-f88bbe11e4e3}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:51 2005 => Entry "HKCR\CLSID\{afba6b42-5692-48ea-8141-dc517dcf0ef1}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:51 2005 => Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Tue Jul 05 09:22:51 2005 => Entry "HKCR\CLSID\{BC54B24C-5A97-4C19-9181-8B8A05B2E931}" refers to invalid object "C:\WINNT\System32\nso123.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:51 2005 => Entry "HKCR\CLSID\{BD9584EF-C28C-4F6D-8D49-0CEE3C0E442F}" refers to invalid object "C:\WINNT\System32\nso123.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:52 2005 => Entry "HKCR\CLSID\{C1172D01-751C-11D0-B6CF-00A024BF23EF}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRASRIAL.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:52 2005 => Entry "HKCR\CLSID\{C7888681-1A83-4C14-B9A5-95F91240B44F}" refers to invalid object "C:\WINNT\System32\nso123.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:52 2005 => Entry "HKCR\CLSID\{CCDD9080-8100-11D0-B6CF-00A024BF23EF}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRALPTTR.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:53 2005 => Entry "HKCR\CLSID\{CFC399AF-D876-11d0-9C10-00C04FC99C8E}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:53 2005 => Entry "HKCR\CLSID\{D19781C5-2051-44F8-8445-DDC82933C191}" refers to invalid object "C:\WINNT\Downloaded Program Files\internazionale_ver11.ocx". Action Taken: No Action Taken.
Tue Jul 05 09:22:53 2005 => Entry "HKCR\CLSID\{d2423620-51a0-11d2-9caf-0060b0ec3d39}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:53 2005 => Entry "HKCR\CLSID\{DA6A85E0-05C7-11D1-B243-006097CAD7E2}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAABOUT.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:53 2005 => Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:54 2005 => Entry "HKCR\CLSID\{E3DA8715-3769-4DCE-BCB4-A7391412B495}" refers to invalid object "C:\WINNT\System32\laca.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:54 2005 => Entry "HKCR\CLSID\{E5B42981-67DC-11D0-8547-00A0240B50F0}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAWEBTR.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:54 2005 => Entry "HKCR\CLSID\{E8D83F00-CD78-11D0-B4D3-00A024BF23EF}" refers to invalid object "C:\PROGRA~1\COMMON~1\IRAABOUT.DLL". Action Taken: No Action Taken.
Tue Jul 05 09:22:54 2005 => Entry "HKCR\CLSID\{ED8C108E-4349-11D2-91A4-00C04F7969E8}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f19-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f27-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f31-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f32-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f33-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f34-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f35-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f36-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f37-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f39-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f3f-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f40-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{f5078f41-c551-11d3-89b9-0000f81fe221}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{F6D90F12-9C73-11D3-B32E-00C04F990BB4}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{F6D90F14-9C73-11D3-B32E-00C04F990BB4}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:55 2005 => Entry "HKCR\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:22:56 2005 => Entry "HKCR\CLSID\{fc220ad8-a72a-4ee8-926e-0b7ad152a020}" refers to invalid object "%SystemRoot%\system32\msxml3.dll". Action Taken: No Action Taken.
Tue Jul 05 09:23:00 2005 => Entry "HKCR\btnetw.ohb" refers to invalid object "{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}". Action Taken: No Action Taken.
Tue Jul 05 09:23:00 2005 => Entry "HKCR\btnetw.ohb.1" refers to invalid object "{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}". Action Taken: No Action Taken.
Tue Jul 05 09:23:05 2005 => Entry "HKCR\LowSol.RichEditor" refers to invalid object "{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}". Action Taken: No Action Taken.
Tue Jul 05 09:23:05 2005 => Entry "HKCR\LowSol.RichEditor.1" refers to invalid object "{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}". Action Taken: No Action Taken.
Tue Jul 05 09:23:09 2005 => Entry "HKCR\ncmyb.SABHO" refers to invalid object "{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}". Action Taken: No Action Taken.
Tue Jul 05 09:23:09 2005 => Entry "HKCR\ncmyb.SABHO.1" refers to invalid object "{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}". Action Taken: No Action Taken.
Tue Jul 05 09:23:10 2005 => Entry "HKCR\Photoshop.Application.4" refers to invalid object "{6DECC242-87EF-11cf-86B4-444553540000} ". Action Taken: No Action Taken.
Tue Jul 05 09:23:12 2005 => Entry "HKCR\Shorty.Gopher" refers to invalid object "{11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6}". Action Taken: No Action Taken.
Tue Jul 05 09:23:12 2005 => Entry "HKCR\Shorty.Gopher.1" refers to invalid object "{11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6}". Action Taken: No Action Taken.
Tue Jul 05 09:23:12 2005 => Entry "HKCR\ToolBand.XBTB07618" refers to invalid object "{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}". Action Taken: No Action Taken.
Tue Jul 05 09:23:12 2005 => Entry "HKCR\ToolBand.XBTB07618.1" refers to invalid object "{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}". Action Taken: No Action Taken.
Tue Jul 05 09:23:12 2005 => Entry "HKCR\VBRun.VBRunDLL" refers to invalid object "{197B8CA4-E215-46DD-8F33-E0544A80E5C4}". Action Taken: No Action Taken.
Tue Jul 05 09:23:12 2005 => Entry "HKCR\VBRun.VBRunDLL.1" refers to invalid object "{197B8CA4-E215-46DD-8F33-E0544A80E5C4}". Action Taken: No Action Taken.
Silent Runners
"Silent Runners.vbs", revision 39,
http://www.silentrunners.org/Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"fkqq" = "C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe" [file not found]
"Windows installer" = "C:\winstall.exe" [file not found]
"DNS" = "C:\Program Files\Common Files\mc-58-12-0000093.exe" [file not found]
"SpySheriff" = "C:\Program Files\SpySheriff\SpySheriff.exe" [file not found]
"Windows Service" = "C:\WINNT\system32\sex.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"JobHisInit" = "C:\Program Files\RMClient\JobHisInit.exe" [empty string]
"MplSetUp" = "C:\Program Files\RMClient\MplSetUp.exe" ["RICOH CO.,LTD."]
"KAVPersonal50" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * sprestrt" [file not found], [MS], [file not found], [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" ["Kaspersky Lab"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Enable Active Desktop}
HIJACK WARNING! "Wallpaper" = "C:\WINNT\desktop.html"
[disables Display Properties|Background (tab); selects wallpaper if
Active Desktop is enabled]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Active Desktop Wallpaper|Wallpaper Name:}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop enabled via Group Policy.
Wallpaper selected via Group Policy.
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINNT\System32\sspipes.scr" [MS]
Startup items in "tregan" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"SmartNetMonitor for Client" -> shortcut to: "C:\Program Files\RMClient\PMClient.exe" ["RICOH COMPANY,LTD."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
C-DillaSrv, C-DillaSrv, "C:\WINNT\system32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
kavsvc, kavsvc, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe" ["Kaspersky Lab"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 23 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 76 seconds)
HiJack
Logfile of HijackThis v1.99.1
Scan saved at 11:11:55, on 05/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\RMClient\PMClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [fkqq] C:\PROGRA~1\COMMON~1\fkqq\fkqqm.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\system32\sex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {5938FEB1-3609-11D4-85CD-00902707DAE7} (MapCtl Class) -
http://www.promapser...test/webmap.cabO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://www.bitdefend...can8/oscan8.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1118749099296O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) -
http://support.f-sec...m/ols/fscax.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WORTH.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WORTH.local
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe