Sponsored By

Tabbydaze

Virus Trouble

Recommended Posts

I'm having trouble - I've read on some of the forum help pages and tried a few things. The pop ups are gone but still getting warnings from my scans. I have been scanning with a-squared, ewido and AVG. AVG was picking up a virus but today has shown none. a-sqaured is still showing something there. Any help would be great. Bare with me as this is the first time for me to try this with online help. I was able to track my 1st and only virus before, 2 yrs ago. No such luck or time on this one :wacko: Tabby

Here is the hijack this log

Logfile of HijackThis v1.99.1

Scan saved at 4:16:54 PM, on 1/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\SYS99.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\a-squared\a2guard.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Rhapsody\rhaphlpr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - {4483DF3D-6896-1EE5-BE10-342402D7527C} - C:\WINDOWS\Wadpaphk.dll (file missing)

O2 - BHO: (no name) - {65718DEC-27B3-A0B3-3420-A8772CD3BEA9} - C:\WINDOWS\Wadpaphk.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe

O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM32\nwinpsaw.exe CORN001

O4 - HKLM\..\Run: [win3208351053236] C:\WINDOWS\win3208351053236.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [sP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -a

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinpsaw.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Share this post


Link to post
Share on other sites

so that we have a little better idea what we are looking for could you please tell us which file asquared is saying it is finding.

Share this post


Link to post
Share on other sites
so that we have a little better idea what we are looking for could you please tell us which file asquared is saying it is finding.

I'm re-running that right now and will post. Just to be sure i get this right, is there any special instruction on posting the results?

Thanks , Tabby

Share this post


Link to post
Share on other sites

Ok lastnight when i ran a-sqaured it showed nothing. But their <sorry not sure what its called> thing that runs in the background was popping up with this -

C:\WINDOWS\SYSTEM32\nwinpsaw.exe

Found a possible trojan or spyware downloader

C:\WINDOWS\win3208351053236.exe

Found a possible trojan or spyware downloader

I clicked to allow the first one to go once and the second one kept popping up over and over so i set it to allow it always and the pop up adds swarmed in after that.

I've ran adaware an am now gonna scan agian with a-sqaure.

This is taking me a little time because i have a baby in the house as well as 2 other kids. Can anyone tell me what scans to send in - maybe all at once? I usually can get on when the baby is napping and try to get things done but this could take days with me trying to send one type of scan at a time.

Thanks so much - Tabby ;)

Share this post


Link to post
Share on other sites

a-sqaured scan -

Filename Diagnosis

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][2].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][2].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][2].txt Trace.TrackingCookie

C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie

Share this post


Link to post
Share on other sites

I'm not sure what to do, some file i need to get online is gone - i went to boot last night after getting some hard lag an when it restarted it wouldnt go online. When i tryed repair it said it was unable to detect IP or something. I'm gonna try to find the file i need - what do i do next? Someone please help me :wacko:

Already called my internet tech support people - I'm gonna "try" to find the file he referded me to - if anyone is on xp home sp2 that might have it (if possible) can ya e-mail me.

Ok I'm going to add the hijack this log i just ran - should i be unplugged from internet and in safe mode to run it? :poster_stupid: Bare with me - I'm a house wife an mother the pc is my side job :D

a-sqaured shows a clean scan from "scan your pc for malware" but on "check your system with hijack free" it shows things like bigfoot, alandinz.p , mutebot, pizaboy-a , flood. av, fan-a , rbot and many more in several diff places. Most listed came from the scan from system tray.

I have scanned, scrubbed, and so on but still come up with those on the a-sqaured system scan. At one point i thought i was rid of trouble but then back agian. AVG is not picking up a virus anymore tho.

Also i am having trouble with start-up programs that keep coming back. All i want on start up is win and needed anivirus and firewall control - i have delete4d zenop everywhere i can find it but it is still back, also something to do msn messenger.

Please help :wacko:

Logfile of HijackThis v1.99.1

Scan saved at 11:10:53 AM, on 1/8/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\win3208351053236.exe

C:\WINDOWS\SYS99.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\a-squared\a2guard.exe

C:\WINDOWS\SYSTEM32\nwinpsaw.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\DOCUME~1\JOHNST~1\LOCALS~1\Temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - {4483DF3D-6896-1EE5-BE10-342402D7527C} - C:\WINDOWS\Wadpaphk.dll (file missing)

O2 - BHO: (no name) - {65718DEC-27B3-A0B3-3420-A8772CD3BEA9} - C:\WINDOWS\Wadpaphk.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe

O4 - HKLM\..\Run: [win3208351053236] C:\WINDOWS\win3208351053236.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM32\nwinpsaw.exe CORN001

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [sP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinpsaw.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by Tabbydaze

Share this post


Link to post
Share on other sites

ok, first I want to apologize for the belated reply, I had family come in from out of town over the weekend. and to top things off for some reason I didn't recieve my notification that you had responded.

second, I merged your two topics together since they are still dealing with the same problem. Please keep your posting to this one thread until we get you cleaned up :)

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - {4483DF3D-6896-1EE5-BE10-342402D7527C} - C:\WINDOWS\Wadpaphk.dll (file missing)

O2 - BHO: (no name) - {65718DEC-27B3-A0B3-3420-A8772CD3BEA9} - C:\WINDOWS\Wadpaphk.dll (file missing)

O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exe

O4 - HKLM\..\Run: [win3208351053236] C:\WINDOWS\win3208351053236.exe

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinpsaw.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\Wadpaphk.dll

C:\WINDOWS\system32\jumb.exe

C:\WINDOWS\win3208351053236.exe

C:\WINDOWS\SYS99.exe

C:\WINDOWS\SYSTEM32\nwinpsaw.exe

Reboot your PC.

Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):

http://housecall.antivirus.com/

And a free trojan scan here:

http://www.moosoft.com/

If you would please, reboot and rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :)

Share this post


Link to post
Share on other sites

Het there, thanks for the reply. I'm down at home :wacko: My tcp/ip is gone, corrupt? Not sure. I'm not even sure about how to go about mending this other than with a clean install. I have gotten diff tech support on this saying 2 diff things. Any ideas? I'm at the library right now and will come back tonight to check this. I really dont want to have to do a clean install yet but if all esle fails i guess i will have to.

I'm running e-machine xp home sp2 - i was told by one person to find the file online but after doing a search i found a command to put in but it is not working. Tech support at my internet carrier said to call e-machine folks but cant get help there because there is a charge. If you've any idea's I'd love ya lots if you'd pass em on :thumbsup:

I'm going to print your last post and go do that stuff. Will be back later today (if you get this in the next 30 min i will still here)

Thanks agian LOTS, Tabby

Share this post


Link to post
Share on other sites

you said your tcp/IP is corrupted??

ok lets get you back on line, I hope you have floppy disk with you because I need you to get a file off the internet and put it on the disk.

  • 1.) Download
WinsockFix.zip. (by: Option^Explicit)
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.

This program will clean up your TCP/IP connection and rebuild the database. After the program is complete, reboot and your problems should be resolved.

Share this post


Link to post
Share on other sites

Ok IM BACK! Dont ask me how but its online. I seen that winsock thing online (go to comand prompt then type the command "Netsh winsock reset") and tryed that - called a pc tech friend whom argued with me <LOL> over how i got dumped from online then lil here lil there (he had me delete some spyware files)and it seemed to not work after sevral restarts but i restarted right now and was about to reinstall my actiontech gateway box and thought i give it a check to get online and IM HERE! Makes no sense because i tried after doing everything else and it would not go - anyhow so here is the new hijack this log ---- should i go to that link still and do the winsock dl? Thanks agian for your time :D

Logfile of HijackThis v1.99.1

Scan saved at 3:57:44 PM, on 1/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wpabaln.exe

C:\Program Files\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by Tabbydaze

Share this post


Link to post
Share on other sites

heres this mornings hijack this log.

I have a question --- I'm a music freak an not having winmx is a nightmare. I, lonce agian, downloaded limewire lastnight. Is that a terribly bad program? Will it matter if i buy it?

Anyhow, wanted to post this new log since i was on lasntight messing around and seems everytime i try to start a program i create trouble. I see this CSRSS.EXE in a-sqaured. This is in the 3rd scan box.

I'm trying to avoid re-start because whatever it is comes back on restart :ph34r: -

heres the new log -Logfile of HijackThis v1.99.1

Scan saved at 8:30:29 AM, on 1/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\system32\wpabaln.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

too be honest with you it's a wonder your online. I don't know exactly what your pc tech told you to remove, but he broke an LSP chain that we now have ot fix.

please Download WindPFind

Extract WinPFind.zip to your c:\ folder. Do Not Run it Yet

Next,Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of newdotnet3_88.dll.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.

When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.

When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Share this post


Link to post
Share on other sites

I just wanted to post this before doing anything else because I have been working on my pc all day and i dont see the broken file anymore unless i just missed it somewhere. MY friend did not have me delete that - that being broken is why i called him. Soon after posting here - i got really bad lag one night and went to boot an "Poof" my connection was gone. My friend is the one that helped me somehow, still aint sure how, get back online. I had found a winsock command - not sure that had anything to do with it.

Anyhow - adaware,spybot,avg,ewido,& a-sqaured run a clean scan but Truesword pulled alot of stuff. Seems that i run into trouble once i re start.... or after clicked programs open. Let me know if you still need me to do the steps from last post - Thanks SO much for your time!

Tabby

oh and no sign of the "newdotnet"

Logfile of HijackThis v1.99.1

Scan saved at 2:20:40 PM, on 1/12/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\wpabaln.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Edited by Tabbydaze

Share this post


Link to post
Share on other sites

ok, please do the WinpFind log as requested it sounds like we might be dealing with a hidden malware. you are correct about the newdotnet entry missing. that is odd that it disappeared on it's own.

I forgot to mention in my last post after I saw you were using limewire that limewire is clean itself when it comes to the program, however the files you are downloading, sharing, etc are more than likely where you are getting your infections on your computer from. P2P programs open new doors for malware to come into your system no matter how protected it may be. the reason for this is because you are conecting to other home computer systems and those in turn could be infected. when you download a file from there you run a higher risk of downloading malware with it.

Share this post


Link to post
Share on other sites

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600

Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

UPX! 1/7/2006 4:16:40 PM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...

PEC2 8/4/2004 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

winsync 8/4/2004 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

PECompact2 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe

Umonitor 8/4/2004 12:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll

aspack 8/4/2004 12:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll

PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

UPX! 12/20/2005 5:21:38 AM 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe

PEC2 2/14/1997 11:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb

Checking %System%\Drivers folder and sub-folders...

UPX! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

FSG! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

PEC2 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

aspack 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

1/13/2006 2:18:00 PM S 2048 C:\WINDOWS\bootstat.dat

11/30/2005 8:11:18 PM RH 188448 C:\WINDOWS\HWINFO.DAT

11/30/2005 8:08:28 PM H 6093 C:\WINDOWS\ttfCache

11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\folder.htt

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\WindowsShell.Manifest

12/7/2005 1:34:30 PM HS 5632 C:\WINDOWS\Thumbs.db

11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\SYSTEM\folder.htt

11/30/2005 8:10:14 PM H 271 C:\WINDOWS\SYSTEM\desktop.ini

12/29/2005 10:17:44 AM H 0 C:\WINDOWS\INF\oem3.inf

11/30/2005 8:09:10 PM H 9793 C:\WINDOWS\HELP\windows.GID

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest

1/10/2006 7:16:14 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest

1/13/2006 11:26:54 AM H 35864 C:\WINDOWS\SYSTEM32\vsconfig.xml

1/8/2006 10:17:44 AM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat

1/13/2006 2:17:20 PM H 811008 C:\WINDOWS\SYSTEM32\config\system.LOG

1/13/2006 2:17:20 PM H 57344 C:\WINDOWS\SYSTEM32\config\software.LOG

1/13/2006 2:17:20 PM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG

1/10/2006 7:09:10 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG

1/10/2006 7:08:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG

1/13/2006 2:18:08 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG

1/13/2006 2:18:00 PM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG

1/10/2006 7:09:00 PM H 0 C:\WINDOWS\SYSTEM32\config\system.tmp.LOG

1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\software.tmp.LOG

1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\default.tmp.LOG

1/10/2006 7:17:34 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdifr.LOG

1/11/2006 10:38:50 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG

12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini

12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini

12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0HSPUTCX\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1IZQ9UL\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0FAZQ3OR\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIBQ3OT\desktop.ini

12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini

12/1/2005 9:05:22 AM HS 148 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini

12/1/2005 9:05:22 AM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini

12/1/2005 9:05:22 AM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini

12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini

12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

12/1/2005 9:03:58 AM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini

12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini

12/3/2005 2:13:26 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\89673cc2-441f-46bc-8cbf-b6ac7892b034

12/3/2005 2:13:26 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred

12/1/2005 9:11:34 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\5ced54f3-8eb1-4d1b-ba37-e071fa8d5238

12/1/2005 9:11:34 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred

1/2/2006 4:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat

11/30/2005 9:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat

12/1/2005 5:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat

1/10/2006 7:16:50 PM HS 67 C:\WINDOWS\FONTS\desktop.ini

11/30/2005 8:09:12 PM H 4753 C:\WINDOWS\WEB\wiadev.htt

11/30/2005 8:09:12 PM H 18952 C:\WINDOWS\WEB\wiacam.htt

11/30/2005 8:09:12 PM H 20150 C:\WINDOWS\WEB\wiastream.htt

11/30/2005 8:09:12 PM H 1574 C:\WINDOWS\WEB\wiastyle.css

11/30/2005 8:09:12 PM H 2998 C:\WINDOWS\WEB\PICTURES.ICO

11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\CAMERA.ICO

11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\STREAM.ICO

11/30/2005 8:10:14 PM H 1535 C:\WINDOWS\WEB\webview.css

11/30/2005 8:10:14 PM H 18163 C:\WINDOWS\WEB\controlp.htt

11/30/2005 8:10:14 PM H 4780 C:\WINDOWS\WEB\default.htt

11/30/2005 8:10:14 PM H 3191 C:\WINDOWS\WEB\folder.htt

11/30/2005 8:10:14 PM H 16287 C:\WINDOWS\WEB\nethood.htt

11/30/2005 8:10:14 PM H 11034 C:\WINDOWS\WEB\recycle.htt

11/30/2005 8:10:14 PM H 6391 C:\WINDOWS\WEB\schedule.htt

11/30/2005 8:10:14 PM H 9227 C:\WINDOWS\WEB\dialup.htt

11/30/2005 8:10:14 PM H 1749 C:\WINDOWS\WEB\wvleft.gif

11/30/2005 8:10:14 PM H 90056 C:\WINDOWS\WEB\classic.bmp

11/30/2005 8:10:14 PM H 641 C:\WINDOWS\WEB\classic.htt

11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\folder.bmp

11/30/2005 8:10:14 PM H 1031 C:\WINDOWS\WEB\starter.htt

11/30/2005 8:10:14 PM H 31080 C:\WINDOWS\WEB\starter.bmp

11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\preview.bmp

11/30/2005 8:10:14 PM H 18276 C:\WINDOWS\WEB\imgview.htt

11/30/2005 8:10:14 PM H 830 C:\WINDOWS\WEB\deskmovr.htt

11/30/2005 8:10:14 PM H 20510 C:\WINDOWS\WEB\fsresult.htt

11/30/2005 8:10:14 PM H 29797 C:\WINDOWS\WEB\standard.htt

11/30/2005 8:10:14 PM H 33916 C:\WINDOWS\WEB\webview.js

11/30/2005 8:10:14 PM H 2642 C:\WINDOWS\WEB\exclam.gif

11/30/2005 8:10:14 PM H 80 C:\WINDOWS\WEB\plushot.gif

11/30/2005 8:10:14 PM H 59 C:\WINDOWS\WEB\pluscold.gif

11/30/2005 8:10:14 PM H 77 C:\WINDOWS\WEB\minhot.gif

11/30/2005 8:10:14 PM H 56 C:\WINDOWS\WEB\mincold.gif

11/30/2005 8:10:14 PM H 11870 C:\WINDOWS\WEB\printers.htt

11/30/2005 8:10:14 PM H 25217 C:\WINDOWS\WEB\sysroot.htt

11/30/2005 8:10:16 PM H 2848 C:\WINDOWS\WEB\brfcase.htt

11/30/2005 8:10:16 PM H 11083 C:\WINDOWS\WEB\ftp.htt

12/5/2005 10:39:26 AM HS 96768 C:\WINDOWS\WEB\Wallpaper\Thumbs.db

12/5/2005 10:38:50 AM HS 5632 C:\WINDOWS\WEB\Wallpaper\Hearts In Love\Thumbs.db

12/1/2005 9:04:18 AM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab

12/1/2005 9:04:18 AM RHS 19854 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab

12/1/2005 9:04:18 AM RHS 244933 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab

1/11/2006 3:26:18 PM RHS 11347 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab

1/11/2006 3:27:26 PM RHS 14930 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab

1/13/2006 2:17:16 PM H 6 C:\WINDOWS\TASKS\SA.DAT

1/4/2006 9:13:34 PM HS 568832 C:\WINDOWS\DRM\drmv2.lic

1/4/2006 10:11:44 PM HS 44544 C:\WINDOWS\DRM\drmv2.sst

12/2/2005 2:14:38 PM HS 48 C:\WINDOWS\DRM\v2ks.sec

12/2/2005 2:14:38 PM HS 312 C:\WINDOWS\DRM\v2ks.bla

12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.bak

12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.key

1/10/2006 6:55:06 PM HS 1445888 C:\WINDOWS\DRM\drmstore.hds

1/4/2006 10:17:16 PM HS 51477 C:\WINDOWS\DRM\migration.log

1/4/2006 10:17:18 PM HS 13824 C:\WINDOWS\DRM\drmv2.licIndex

1/4/2006 10:54:04 PM HS 488 C:\WINDOWS\DRM\v2ksndv.bla

1/4/2006 10:54:04 PM HS 313544 C:\WINDOWS\DRM\IndivBox.key

1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini

1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini

1/10/2006 7:17:32 PM H 626688 C:\WINDOWS\repair\ntuser.dat

Checking for CPL files...

Microsoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Avance Logic, Inc. 7/16/2002 1:08:00 PM 629248 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL

Microsoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

1/10/2006 7:17:30 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...

1/10/2006 7:10:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...

12/1/2005 9:05:22 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...

12/1/2005 8:57:18 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = %SystemRoot%\system32\SHELL32.dll

{53C74826-AB99-4d33-ACA4-3117F51D3788} = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu

{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip

{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu

{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip

{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip

{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}

= C:\WINDOWS\SYSTEM32\SHELL32.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}

= C:\WINDOWS\SYSTEM32\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}

= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}

Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

ButtonText = Yahoo! Messenger : C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 0

services 0

startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp

NoRealMode 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun •

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

Shell = Explorer.exe

System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 1/13/2006 2:25:39 PM

Share this post


Link to post
Share on other sites

well, you definately got something there, so liets get rid of it shall we.

First let's show your hidden files and folders,

open My Computer, then click on tools and select folder options

next click on the view tab

scroll down and find show hidden files and folder and click on the radio button next to it.

close My Computer.

Boot into safe mode start My Computer and then navigate to and delete this file:

C:\WINDOWS\SYSTEM32\aswBoot.exe

finally;

  • Click Start > Run.
    Type regedit
    Then click OK.

    back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.
    to do this, click on file and then select Export. Choose a file name you will esily identify and save it to a place you will remember, like your desktop.
    Next navigate to the key:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services

In the left pane, delete the subkey:

  • "Xuy v palto"

Exit the Registry Editor.

Reboot your computer to safe mode and get a fresh winpfind log, then post it in this topic.

Share this post


Link to post
Share on other sites

I didnt find the xuy v palto - there was nothing showing in the pane at all.

heres the new scan -

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600

Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

UPX! 1/7/2006 4:16:40 PM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...

Checking %System% folder...

PEC2 8/4/2004 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

winsync 8/4/2004 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

PECompact2 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe

Umonitor 8/4/2004 12:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll

aspack 8/4/2004 12:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll

PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

PEC2 2/14/1997 11:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlb

Checking %System%\Drivers folder and sub-folders...

UPX! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

FSG! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

PEC2 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

aspack 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

1/13/2006 3:33:48 PM S 2048 C:\WINDOWS\bootstat.dat

11/30/2005 8:11:18 PM RH 188448 C:\WINDOWS\HWINFO.DAT

11/30/2005 8:08:28 PM H 6093 C:\WINDOWS\ttfCache

11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\folder.htt

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\WindowsShell.Manifest

12/7/2005 1:34:30 PM HS 5632 C:\WINDOWS\Thumbs.db

11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\SYSTEM\folder.htt

11/30/2005 8:10:14 PM H 271 C:\WINDOWS\SYSTEM\desktop.ini

12/29/2005 10:17:44 AM H 0 C:\WINDOWS\INF\oem3.inf

11/30/2005 8:09:10 PM H 9793 C:\WINDOWS\HELP\windows.GID

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest

1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest

1/10/2006 7:16:14 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest

1/13/2006 2:29:38 PM H 35864 C:\WINDOWS\SYSTEM32\vsconfig.xml

1/8/2006 10:17:44 AM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat

1/13/2006 3:33:10 PM H 1261568 C:\WINDOWS\SYSTEM32\config\system.LOG

1/13/2006 3:33:10 PM H 696320 C:\WINDOWS\SYSTEM32\config\software.LOG

1/13/2006 3:33:10 PM H 16384 C:\WINDOWS\SYSTEM32\config\default.LOG

1/10/2006 7:09:10 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG

1/10/2006 7:08:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG

1/13/2006 3:33:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG

1/13/2006 3:33:48 PM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG

1/10/2006 7:09:00 PM H 0 C:\WINDOWS\SYSTEM32\config\system.tmp.LOG

1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\software.tmp.LOG

1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\default.tmp.LOG

1/10/2006 7:17:34 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdifr.LOG

1/11/2006 10:38:50 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG

12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini

12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini

12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0HSPUTCX\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1IZQ9UL\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0FAZQ3OR\desktop.ini

12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIBQ3OT\desktop.ini

12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini

12/1/2005 9:05:22 AM HS 148 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini

12/1/2005 9:05:22 AM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini

12/1/2005 9:05:22 AM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini

12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini

12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

12/1/2005 9:03:58 AM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini

12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini

12/3/2005 2:13:26 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\89673cc2-441f-46bc-8cbf-b6ac7892b034

12/3/2005 2:13:26 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred

12/1/2005 9:11:34 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\5ced54f3-8eb1-4d1b-ba37-e071fa8d5238

12/1/2005 9:11:34 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred

1/2/2006 4:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat

11/30/2005 9:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat

12/1/2005 5:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat

1/10/2006 7:16:50 PM HS 67 C:\WINDOWS\FONTS\desktop.ini

11/30/2005 8:09:12 PM H 4753 C:\WINDOWS\WEB\wiadev.htt

11/30/2005 8:09:12 PM H 18952 C:\WINDOWS\WEB\wiacam.htt

11/30/2005 8:09:12 PM H 20150 C:\WINDOWS\WEB\wiastream.htt

11/30/2005 8:09:12 PM H 1574 C:\WINDOWS\WEB\wiastyle.css

11/30/2005 8:09:12 PM H 2998 C:\WINDOWS\WEB\PICTURES.ICO

11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\CAMERA.ICO

11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\STREAM.ICO

11/30/2005 8:10:14 PM H 1535 C:\WINDOWS\WEB\webview.css

11/30/2005 8:10:14 PM H 18163 C:\WINDOWS\WEB\controlp.htt

11/30/2005 8:10:14 PM H 4780 C:\WINDOWS\WEB\default.htt

11/30/2005 8:10:14 PM H 3191 C:\WINDOWS\WEB\folder.htt

11/30/2005 8:10:14 PM H 16287 C:\WINDOWS\WEB\nethood.htt

11/30/2005 8:10:14 PM H 11034 C:\WINDOWS\WEB\recycle.htt

11/30/2005 8:10:14 PM H 6391 C:\WINDOWS\WEB\schedule.htt

11/30/2005 8:10:14 PM H 9227 C:\WINDOWS\WEB\dialup.htt

11/30/2005 8:10:14 PM H 1749 C:\WINDOWS\WEB\wvleft.gif

11/30/2005 8:10:14 PM H 90056 C:\WINDOWS\WEB\classic.bmp

11/30/2005 8:10:14 PM H 641 C:\WINDOWS\WEB\classic.htt

11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\folder.bmp

11/30/2005 8:10:14 PM H 1031 C:\WINDOWS\WEB\starter.htt

11/30/2005 8:10:14 PM H 31080 C:\WINDOWS\WEB\starter.bmp

11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\preview.bmp

11/30/2005 8:10:14 PM H 18276 C:\WINDOWS\WEB\imgview.htt

11/30/2005 8:10:14 PM H 830 C:\WINDOWS\WEB\deskmovr.htt

11/30/2005 8:10:14 PM H 20510 C:\WINDOWS\WEB\fsresult.htt

11/30/2005 8:10:14 PM H 29797 C:\WINDOWS\WEB\standard.htt

11/30/2005 8:10:14 PM H 33916 C:\WINDOWS\WEB\webview.js

11/30/2005 8:10:14 PM H 2642 C:\WINDOWS\WEB\exclam.gif

11/30/2005 8:10:14 PM H 80 C:\WINDOWS\WEB\plushot.gif

11/30/2005 8:10:14 PM H 59 C:\WINDOWS\WEB\pluscold.gif

11/30/2005 8:10:14 PM H 77 C:\WINDOWS\WEB\minhot.gif

11/30/2005 8:10:14 PM H 56 C:\WINDOWS\WEB\mincold.gif

11/30/2005 8:10:14 PM H 11870 C:\WINDOWS\WEB\printers.htt

11/30/2005 8:10:14 PM H 25217 C:\WINDOWS\WEB\sysroot.htt

11/30/2005 8:10:16 PM H 2848 C:\WINDOWS\WEB\brfcase.htt

11/30/2005 8:10:16 PM H 11083 C:\WINDOWS\WEB\ftp.htt

12/5/2005 10:39:26 AM HS 96768 C:\WINDOWS\WEB\Wallpaper\Thumbs.db

12/5/2005 10:38:50 AM HS 5632 C:\WINDOWS\WEB\Wallpaper\Hearts In Love\Thumbs.db

12/1/2005 9:04:18 AM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab

12/1/2005 9:04:18 AM RHS 19854 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab

12/1/2005 9:04:18 AM RHS 244933 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab

1/11/2006 3:26:18 PM RHS 11347 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab

1/11/2006 3:27:26 PM RHS 14930 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab

1/13/2006 3:33:04 PM H 6 C:\WINDOWS\TASKS\SA.DAT

1/4/2006 9:13:34 PM HS 568832 C:\WINDOWS\DRM\drmv2.lic

1/4/2006 10:11:44 PM HS 44544 C:\WINDOWS\DRM\drmv2.sst

12/2/2005 2:14:38 PM HS 48 C:\WINDOWS\DRM\v2ks.sec

12/2/2005 2:14:38 PM HS 312 C:\WINDOWS\DRM\v2ks.bla

12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.bak

12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.key

1/10/2006 6:55:06 PM HS 1445888 C:\WINDOWS\DRM\drmstore.hds

1/4/2006 10:17:16 PM HS 51477 C:\WINDOWS\DRM\migration.log

1/4/2006 10:17:18 PM HS 13824 C:\WINDOWS\DRM\drmv2.licIndex

1/4/2006 10:54:04 PM HS 488 C:\WINDOWS\DRM\v2ksndv.bla

1/4/2006 10:54:04 PM HS 313544 C:\WINDOWS\DRM\IndivBox.key

1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini

1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini

1/10/2006 7:17:32 PM H 626688 C:\WINDOWS\repair\ntuser.dat

Checking for CPL files...

Microsoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Avance Logic, Inc. 7/16/2002 1:08:00 PM 629248 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL

Microsoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

Microsoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

1/10/2006 7:17:30 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...

1/10/2006 7:10:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...

12/1/2005 9:05:22 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...

12/1/2005 8:57:18 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = %SystemRoot%\system32\SHELL32.dll

{53C74826-AB99-4d33-ACA4-3117F51D3788} = %SystemRoot%\system32\SHELL32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu

{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip

{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu

{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension

{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip

{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip

{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}

= C:\WINDOWS\SYSTEM32\SHELL32.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}

= C:\WINDOWS\SYSTEM32\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}

= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}

Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

ButtonText = Yahoo! Messenger : C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 0

services 0

startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp

NoRealMode 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun •

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

Shell = Explorer.exe

System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 1/13/2006 3:57:21 PM

Share this post


Link to post
Share on other sites

i just did a few scans, adaware, and avg have clean scans. True sword found these to fix (past scans showed LOTS to fix so things are looking better huh? )

Known malicious program

Here is its description:

Malicious component or program is found in processes: ALG.EXE. Added by the DEMOTRY-B WORM!

Known malicious program

Here is its description:

Malicious component is found in files winamp.exe. "Added by a variant of the RBOT WORM! Note - this is NOT the popular Winamp media player which has the filename ""winampa.exe"""

Known malicious program

Here is its description:

Malicious component is found in files winampa.exe. Added by the LOONY-I TROJAN! Note - this is NOT the popular Winamp media player which has the same filename

I did notice that "winampa" in my files the other day - I use winamp daily and was wondering what teh hell that was.

Think that accounts for anything or is that just "simple" spyware?

Edited by Tabbydaze

Share this post


Link to post
Share on other sites

please post a fresh Hijack this log so I can look it over.

I have never heard of Truesword before so this could be whats called a "false positive".

I'll have the next, and hopefully, final step for you after you respond.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 9:39:55 PM, on 1/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

it appears that you did this scan in safe mode, could you please do a scan in normal mode and post it.

thanks

Share this post


Link to post
Share on other sites

Weird, i had just walked in the door and turned my pc on to check for replies here & seen you wanted the log so there it is - not in safe mode. Is that common?

here it is agian -

Logfile of HijackThis v1.99.1

Scan saved at 8:37:14 AM, on 1/15/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

this is odd, it appears as though you are missing programs that you had on there before. are all your programs working ok??

I also did some research on that True Sword. I recommend you reinstate all the "Quarantined" files it has collected. I also advise that you uninstall it and not use it anymore. more information can be obtained at Spyware warriors: Rogue/Suspect list

True Sword

securitystronghold.com

ridiculous false positives work as goad to purchase [A: 1-3-06 / U: 1-3-06]

and from the looks of it, this program was just added January 3, 2006. This may be the cause of your hijack this log looking like it was ran from safe mode.

Share this post


Link to post
Share on other sites

I :think" things are working ok - I havent had any tiem with the pc in days tho. I uninstalled that truesword -here is a hijackthis log.

Logfile of HijackThis v1.99.1

Scan saved at 8:33:42 AM, on 1/18/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Share this post


Link to post
Share on other sites

well, you now have a new infection listed.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe

after that is done reboot to safe mode then find the following files and delete them if found:

C:\Program Files\MediaGateway

C:\Program Files\180solutions

reboot to normal mode and post a fresh hijack this log.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.