Sponsored By

taniguce

Mcafee Download Site[RESOLVED]

Recommended Posts

I am no longer able to get into the McAfee download site so I am get the latest dat files. My other computer using the same broadband with linksys has no problem getting into the same site.

I was hit with a lot of viruses yesterday and believe I was also hit with a spyware problem. I think it is called "spyaxe". I thought I cleaned everything up with "Spybot Search and Destroy" and "AVG" antivirus softwares.

Here is my HiJack Logfile:

Logfile of HijackThis v1.99.1

Scan saved at 9:03:43 AM, on 10/5/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINDOWS\inet20004\winlogon.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Thank you for your help.

Share this post


Link to post
Share on other sites

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Share this post


Link to post
Share on other sites
Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks for your help. Here is the file you requested:

SmitFraudFix v2.105

Scan done at 11:15:52.79, Thu 10/05/2006

Run from C:\Documents and Settings\Leigh Silberg\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\migicons.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Leigh Silberg

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Leigh Silberg\Application Data

C:\Documents and Settings\Leigh Silberg\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LEIGHS~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="C:\\WINDOWS\\System32\\win_a3.dll"

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Share this post


Link to post
Share on other sites
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Here is the text file you requested:

SmitFraudFix v2.105

Scan done at 15:31:27.15, Thu 10/05/2006

Run from C:\Documents and Settings\Leigh Silberg\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\migicons.exe Deleted

C:\Documents and Settings\Leigh Silberg\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Share this post


Link to post
Share on other sites
Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

ActiveScan Report:

Incident Status Location

Adware:adware/ipinsight Not disinfected c:\windows\inf\conscorr.inf

Adware:adware/ncase Not disinfected c:\temp\FLEOK

Adware:adware/cws Not disinfected C:\Documents and Settings\Leigh Silberg\Favorites\health

Adware:adware/secure32 Not disinfected C:\WINDOWS\System32\drivers\etc\hosts

Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\z2924.exe

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\SYSTEM32\z2748.exe

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\?hkntfs.exe

Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx

Virus:Trj/Downloader.BJ Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\archive.jar-27b6d963-69cc1154.idx

Virus:Trj/Downloader.BJ Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\archive.jar-27b6d962-4c526877.idx

Virus:Trj/Downloader.BJ Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\archive.jar-27b6d963-3076731e.idx

Adware:Adware/Look2Me Not disinfected C:\Program Files\Picasa\pinstall.dll

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Leigh Silberg\Desktop\SmitfraudFix\SmitfraudFix.zip[smitfraudFix/Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Leigh Silberg\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

Share this post


Link to post
Share on other sites

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\windows\inf\conscorr.inf

    c:\temp\FLEOK

    C:\Documents and Settings\Leigh Silberg\Favorites\health

    C:\WINDOWS\SYSTEM32\z2924.exe

    C:\WINDOWS\SYSTEM32\z2748.exe

    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Download the Hoster Here

Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.

  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program

Then post a new Hijackthis log here in a reply.

Share this post


Link to post
Share on other sites
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\windows\inf\conscorr.inf

    c:\temp\FLEOK

    C:\Documents and Settings\Leigh Silberg\Favorites\health

    C:\WINDOWS\SYSTEM32\z2924.exe

    C:\WINDOWS\SYSTEM32\z2748.exe

    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Download the Hoster Here

Please do not use program yet

Unzip Hoster to your desktop

Open up the Hoster program.

  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program

Then post a new Hijackthis log here in a reply.

First, I did receive the message "Click OK at any PendingFileRenameOperations prompt" during the killbox program.

Here is the HiJack Logfile:

Logfile of HijackThis v1.99.1

Scan saved at 8:29:35 PM, on 10/5/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Share this post


Link to post
Share on other sites

First download AVG Anti-Spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Share this post


Link to post
Share on other sites
First download AVG Anti-Spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

AVG Report Scan:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 9:52:25 PM 10/5/2006

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Classes\CLSID\{E716BC71-BD4C-141B-C430-3B0BB54033C3} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).

C:\!KillBox\MediaTicketsInstaller.ocx -> Adware.MediaTickets : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{6EBA4C03-A18F-4374-9B57-78EB62701D84}\RP279\A0047543.dll -> Downloader.Tiny.eg : Cleaned with backup (quarantined).

C:\!KillBox\z2924.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{6EBA4C03-A18F-4374-9B57-78EB62701D84}\RP279\A0047538.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).

::Report end

Share this post


Link to post
Share on other sites
Ok post a new Hijackthis log here in a reply.

Logfile of HijackThis v1.99.1

Scan saved at 8:32:49 AM, on 10/6/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Share this post


Link to post
Share on other sites

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\System32\win_a3.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Share this post


Link to post
Share on other sites
Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\System32\win_a3.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

When I attempted to browse and locate the file "C:\WINDOWS\System32\win_a3.dll", it is not there. I even ran HiJack again just to make sure it was still there and it is in the Hijack Logfile like I sent you. I ran a search on my computer and it does not find it either. I even went to the folder options on My Computer and checked all appropriate boxes and radio buttons to "show" all hidden files. I still had no success in locating it on my computer, even though it is showing up on the Hijack Logfile.

Please advise. Thank you.

Share this post


Link to post
Share on other sites
Can you try putting C:\WINDOWS\System32\win_a3.dll into the box and clicking submit? rather than browsing for it?therock247uk

I copy/paste the "C:\WINDOWS\System32\win_a3.dll" into the box and clicked submit. It seemed to have worked. I got a screen with the following message after I hit the send file button "Your file (win_a3.dll) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file".

Thank you.

Share this post


Link to post
Share on other sites
Ok post me a new Hijackthis log here in a reply.

Logfile of HijackThis v1.99.1

Scan saved at 1:35:02 PM, on 10/6/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\McAfee Firewall\CPD.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cab

O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)

O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Share this post


Link to post
Share on other sites

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Share this post


Link to post
Share on other sites
Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

I did not see anything regarding this instruction "leave [X]scan through Windows Explorer checked". So, I just clicked >scan then>next. I also did not get any rename option.

10/06/06 17:40:29 [info]: BlackLight Engine 1.0.47 initialized

10/06/06 17:40:29 [info]: OS: 5.1 build 2600 ()

10/06/06 17:40:29 [Note]: 7019 4

10/06/06 17:40:29 [Note]: 7005 0

10/06/06 17:40:51 [Note]: 7006 0

10/06/06 17:40:51 [Note]: 7011 448

10/06/06 17:40:52 [Note]: 7026 0

10/06/06 17:40:52 [Note]: 7026 0

10/06/06 17:41:01 [Note]: FSRAW library version 1.7.1020

10/06/06 17:41:37 [Note]: 7007 0

Share this post


Link to post
Share on other sites

Download GMER from http://www.gmer.net/

Right Click the Zip and Select "Extract All"

Double Click gmer.exe to launch the program.

Click on the Rootkit Tab and then click Scan.

It takes a while to run,once complete,copy the results to notepad and save them somewhere safe.

Post those results in the next reply.

Share this post


Link to post
Share on other sites
Download GMER from http://www.gmer.net/

Right Click the Zip and Select "Extract All"

Double Click gmer.exe to launch the program.

Click on the Rootkit Tab and then click Scan.

It takes a while to run,once complete,copy the results to notepad and save them somewhere safe.

Post those results in the next reply.

I have tried to run this program about 5 times now. Each time I run the program as you specified, my PC reboots itself. Is this a common occurence with this program? I don't know if something is wrong with my PC or is the the GMER program itself that is having the problem.

Please advise. Thank you.

Share this post


Link to post
Share on other sites

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Share this post


Link to post
Share on other sites
Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Logfile created on: 10/7/2006 8:52:21 AM

WinPFind v1.5.0 Folder = C:\folder\winpfind\WinPFind\

Microsoft Windows XP (Version = 5.1.2600)

Internet Explorer (Version = 6.0.2600.0000)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

PEC2 10/4/2006 9:13:34 PM 2260014 C:\crash.txt ()

PTech 10/4/2006 9:13:34 PM 2260014 C:\crash.txt ()

WSUD 10/4/2006 9:13:34 PM 2260014 C:\crash.txt ()

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

WSUD 5/19/2005 9:03:40 AM 4870 C:\WINDOWS\suxddd.dat ()

WSUD 5/25/2005 12:07:04 AM 4866 C:\WINDOWS\eyufxf.dat ()

WSUD 5/8/2005 4:39:02 PM 4866 C:\WINDOWS\jdeme.txt ()

UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe ()

aspack 3/25/2003 6:24:56 PM 311840 C:\WINDOWS\eFaxView.exe (eFax.com)

Checking %System% folder...

WSUD 5/18/2005 12:08:24 AM 4870 C:\WINDOWS\SYSTEM32\bxytq.log ()

WSUD 6/8/2005 11:54:12 AM 9237 C:\WINDOWS\SYSTEM32\awpmc.txt ()

PEC2 8/23/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()

WSUD 8/23/2001 12:00:00 PM 1135616 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)

WSUD 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)

Umonitor 8/23/2001 12:00:00 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)

winsync 8/23/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

PTech 8/7/2006 9:50:22 AM 1484592 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...

UPX! 10/4/2006 8:03:54 PM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

FSG! 10/4/2006 8:03:54 PM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

PEC2 10/4/2006 8:03:54 PM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

aspack 10/4/2006 8:03:54 PM 778656 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

10/7/2006 8:50:08 AM S 2048 C:\WINDOWS\bootstat.dat ()

10/7/2006 8:49:16 AM H 790528 C:\WINDOWS\SYSTEM32\config\system.LOG ()

10/7/2006 8:49:16 AM H 90112 C:\WINDOWS\SYSTEM32\config\software.LOG ()

10/7/2006 8:49:16 AM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG ()

10/7/2006 8:50:26 AM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG ()

10/7/2006 8:50:10 AM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG ()

9/13/2006 10:22:00 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG ()

9/2/2006 8:49:06 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\f1e15f49-651a-40d0-bb6a-c02327f96c79 ()

9/2/2006 8:49:06 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred ()

8/29/2006 10:14:10 PM HS 30208 C:\WINDOWS\All Users\DRM\drmv2.sst ()

10/7/2006 8:48:56 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...

8/24/2000 3:46:38 PM R 266240 C:\WINDOWS\SYSTEM32\Adobe Gamma.cpl (Adobe Systems, Inc.)

7/11/1997 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL ()

5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)

11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)

9/29/2003 9:46:42 AM 65536 C:\WINDOWS\SYSTEM32\bpcpl.cpl (Micro Solutions, Inc.)

8/23/2001 12:00:00 PM 130048 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)

8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)

8/23/2001 5:00:00 AM 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)

8/23/2001 5:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...

{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab

{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

{A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - - CodeBase = http://nexpoly.co.kr/controls/nixplay25.cab

{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

DirectAnimation Java Classes - - CodeBase = file://c:\windows\SYSTEM\dajava.cab

Internet Explorer Classes for Java - - CodeBase = file://c:\windows\SYSTEM\iejava.cab

Microsoft XML Parser for Java - - CodeBase = file://c:\windows\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

4/4/2004 11:49:28 AM 511 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk ()

10/21/2004 11:13:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...

10/21/2004 11:04:16 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...

10/21/2004 11:13:22 PM HS 84 C:\Documents and Settings\Leigh Silberg\Start Menu\Programs\Startup\desktop.ini ()

6/1/2005 2:26:46 PM 554 C:\Documents and Settings\Leigh Silberg\Start Menu\Programs\Startup\SpywareGuard.lnk ()

Checking files in %USERPROFILE%\Application Data folder...

10/21/2004 11:04:16 PM HS 62 C:\Documents and Settings\Leigh Silberg\Application Data\desktop.ini ()

12/28/2003 3:04:08 PM 0 C:\Documents and Settings\Leigh Silberg\Application Data\dm.ini ()

10/3/2004 12:33:04 PM 4862 C:\Documents and Settings\Leigh Silberg\Application Data\dw.log ()

1/11/2005 2:26:00 PM 60192 C:\Documents and Settings\Leigh Silberg\Application Data\GDIPFONTCACHEV1.DAT ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

\\Start Page - about:blank

\\Search Bar -

\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

\\Default_Search_URL -

\\Local Page - C:\windows\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]

\\Start Page - http://www.yahoo.com/

\\Search Page -

\\Local Page - C:\windows\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]

\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

>>> BHO's <<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (Adobe Systems Incorporated)

\{4A368E80-174F-4872-96B5-0B27DDD11DB2} - SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll ()

\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = C:\WINDOWS\SYSTEM32\BROWSEUI.DLL (Microsoft Corporation)

\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINDOWS\System32\msdxm.ocx ()

\\{ACB1E670-3217-45C4-A021-6B829A8A27CB} - McAfee VirusScan = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - = ()

\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]

\\NEXTID - 8198

\\{724d43aa-0d85-11d4-9908-00400523e39a} - 8193 =

\\{320AF880-6646-11D3-ABEE-C5DBF3571F46} - 8194 =

\\{320AF880-6646-11D3-ABEE-C5DBF3571F49} - 8195 =

\\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - 8196 = Share in H&ello

\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8197 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)

\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)

\{B13B4423-2647-4cfc-A4B3-C7D56CB83487} - ButtonText: Share in Hello =

>>> Approved Shell Extensions (Non-Microsoft Only) <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = ()

\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()

\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()

\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)

\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()

\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()

\\{5E44E225-A408-11CF-B581-008029601108} - Adaptec Directcd Shell Extension = C:\Program Files\Adaptec\DirectCD\shellex.dll (Adaptec)

\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\NVIDIA\Win9x\40.72\NvCpl.dll (NVIDIA Corporation)

\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = ()

\\{043308A2-3CF7-4ED5-A668-2B4FB0BD307A} - dBpowerAMP dAP Scripting = ()

\\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Popup Info = ()

\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL (RealNetworks, Inc.)

\\{81559C35-8464-49F7-BB0E-07A383BEF910} - SpywareGuard = C:\Program Files\SpywareGuard\spywareguard.dll ()

\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]

\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)

\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll ()

\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B} - = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]

\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)

\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

\NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\NVIDIA\Win9x\40.72\NvCpl.dll (NVIDIA Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]

\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll ()

\{97F51F2B-E87A-4349-84B1-2D91CB2C0C1B} - = C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (Network Associates, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SystemTray - C:\WINDOWS\SYSTEM32\SysTray.Exe (Microsoft Corporation)

iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe (GRISOFT, s.r.o.)

!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

MSMSGS - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

PopUpStopperFreeEdition - C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe (Panicware, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]

C:\Documents and Settings\Leigh Silberg\Start Menu\Programs\Startup\desktop.ini ()

C:\Documents and Settings\Leigh Silberg\Start Menu\Programs\Startup\SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe ()

>>> MSConfig Disabled Items <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 0

services 0

startup 0

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

C:\WINDOWS\System32\win_a3.dll = ()

>>> Image File Execution Options <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)

\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

\\{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - Eudora's Shell Extension = C:\PROGRAM FILES\QUALCOMM\EUDORA\EUSHLEXT.DLL (Qualcomm Inc.)

\\{81559C35-8464-49F7-BB0E-07A383BEF910} - SpywareGuard.Handler = C:\Program Files\SpywareGuard\spywareguard.dll ()

\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

\\UserInit = C:\WINDOWS\system32\userinit.exe,

\\Shell = Explorer.exe

\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

\crypt32chain - crypt32.dll = (Microsoft Corporation)

\cryptnet - cryptnet.dll = (Microsoft Corporation)

\cscdll - cscdll.dll = (Microsoft Corporation)

\ScCertProp - wlnotify.dll = (Microsoft Corporation)

\Schedule - wlnotify.dll = (Microsoft Corporation)

\sclgntfy - sclgntfy.dll = (Microsoft Corporation)

\SensLogn - WlNotify.dll = (Microsoft Corporation)

\termsrv - wlnotify.dll = (Microsoft Corporation)

\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<

{C3425298-1772-4BC1-85FD-A11D16AECC2E} - (VIA PCI 10/100Mb Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]

\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)

\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)

\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]

\000000000001\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000002\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000003\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000004\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000005\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000006\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000007\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000008\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000009\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000010\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000011\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000015\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)

\000000000016\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)

\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000021\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000022\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

\000000000023\\PackedCatalogItem - CC:\WINDOWS\system32\CSLSP.DLL ()

>>> Protocol Handlers (Non-Microsoft Only) <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]

\ipp - ()

\msdaipp - ()

\vnd.ms.radio - C:\WINDOWS\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.