Hjt Log[INACTIVE]


Recommended Posts

My computer became infected with viruses and after trying to fix it myself using Ad-aware, Spybot SD, HJT, etc. I think I'm still infected and now some of my applications won't run anymore, such as, SpybotSD, Yahoo Messenger, Cleanup, etc. Here is my latest HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 10:56:45 PM, on 2/2/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\WINDOWS\SYSTEM32\3cshtdwn.exe

C:\WINDOWS\SYSTEM32\3cmlink.exe

C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\LVComsX.exe

C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe

C:\WINDOWS\FSScrCtl.exe

C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe

C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm58.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.earthlink.net/~rbaker529/id2.html

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe

O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\wkqwaw.exe reg_run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - Startup: BJ Status Monitor Canon i560.lnk = ?

O4 - Global Startup: Acrobat Assistant.lnk.disabled

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe

O4 - Global Startup: TK8 EasyNote 1.1.lnk = C:\Program Files\TK8\TK8 EasyNote 1.1\EasyNote.exe

O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\Internet Call Notification\CallWaiting.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_6us.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Link to post
Share on other sites

Hi,

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti malware it is a free version of the program.

  1. Install ewido anti malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu

[*]Launch ewido, there should be an icon on your desktop, double-click it.

[*]The program will now open to the main screen.

[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

Once the updates are installed do the following:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti malware.

Reboot and post a new HijackThis log as well as the ewido log.

Link to post
Share on other sites

Well, guess I've got worse problems than yopu thought. After installing Ewido and following your instructions I got to the point of clicking "Complete system scan" and when I clicked it Ewido just disappeared. Nothing happened at all. Tryed it several times, same thing , it just goes away. That's the same thing that happens to Yahoo Messenger and Cleanup, they just go away. I think I may have inadvertantly deleted a system file or 2 during my attempts to get control of my computer yesterday. What now?

Hi,

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti malware it is a free version of the program.

  1. Install ewido anti malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu

[*]Launch ewido, there should be an icon on your desktop, double-click it.

[*]The program will now open to the main screen.

[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

Once the updates are installed do the following:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti malware.

Reboot and post a new HijackThis log as well as the ewido log.

Link to post
Share on other sites

Lets try the manual removal.

Hi,

Please Download the following tools to assist us in removing this infection!

  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    [*]Download Track qoo

    • Save it somewhere you will remember like the Desktop

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Danny

Link to post
Share on other sites

Hi Danny,

Thanks for getting back with me. I did as you said and ran both programs. Below are the results of both scans:

WinPFind scan:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600

Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

PTech 9/26/1997 11:04:00 AM 614728 C:\Program Files\PHD3D.HLP

PTech 4/2/1997 8:39:12 AM 144380 C:\Program Files\PLXLAND.HLP

Checking %WinDir% folder...

qoologic 2/25/2005 4:23:44 PM 3936 C:\WINDOWS\hgkhch.dll

urllogic 2/25/2005 4:23:44 PM 3936 C:\WINDOWS\hgkhch.dll

abetterinternet.com 2/25/2005 4:23:44 PM 3936 C:\WINDOWS\hgkhch.dll

UPX! 11/15/2005 2:49:20 PM 22016 C:\WINDOWS\sa22.dll

UPX! 4/9/2005 2:06:12 AM 170053 C:\WINDOWS\tsc.exe

PECompact2 4/9/2005 2:06:12 AM 13789155 C:\WINDOWS\VPTNFILE.504

qoologic 4/9/2005 2:06:12 AM 13789155 C:\WINDOWS\VPTNFILE.504

SAHAgent 4/9/2005 2:06:12 AM 13789155 C:\WINDOWS\VPTNFILE.504

UPX! 4/11/2005 9:33:38 PM 1044560 C:\WINDOWS\vsapi32.dll

aspack 4/11/2005 9:33:38 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...

PEC2 11/18/1996 748160 C:\WINDOWS\SYSTEM32\CO2C40EN.DLL

UPX! 9/14/2003 1:20:04 PM 402944 C:\WINDOWS\SYSTEM32\Colors of Autumn Scenic Reflections.scr

PEC2 8/23/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

PEC2 9/28/2005 3:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll

PECompact2 9/28/2005 3:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll

UPX! 8/23/2001 6:00:00 AM 32256 C:\WINDOWS\SYSTEM32\hksrv.dll

UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com

qoologic 4/12/2005 4:28:26 PM 10188019 C:\WINDOWS\SYSTEM32\pav.sig

aspack 4/12/2005 4:28:26 PM 10188019 C:\WINDOWS\SYSTEM32\pav.sig

SAHAgent 4/12/2005 4:28:26 PM 10188019 C:\WINDOWS\SYSTEM32\pav.sig

winsync 4/12/2005 4:28:26 PM 10188019 C:\WINDOWS\SYSTEM32\pav.sig

UPX! 8/21/2003 10:41:14 AM 12288 C:\WINDOWS\SYSTEM32\perfont.exe

Umonitor 8/29/2002 4:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll

UPX! 5/25/2004 8:15:24 AM 730768 C:\WINDOWS\SYSTEM32\sg20.ocx

winsync 8/23/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

2/4/2006 8:13:30 PM S 2048 C:\WINDOWS\bootstat.dat

1/24/2006 4:41:24 PM H 54156 C:\WINDOWS\QTFont.qfn

2/4/2006 5:08:10 PM H 0 C:\WINDOWS\inf\oem29.inf

2/4/2006 6:31:50 PM H 0 C:\WINDOWS\LastGood\INF\oem30.inf

2/4/2006 6:31:50 PM H 0 C:\WINDOWS\LastGood\INF\oem30.PNF

2/4/2006 8:13:22 PM H 8192 C:\WINDOWS\system32\config\default.LOG

2/4/2006 8:13:46 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG

2/4/2006 8:13:32 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG

2/4/2006 8:13:48 PM H 53248 C:\WINDOWS\system32\config\software.LOG

2/4/2006 8:13:36 PM H 958464 C:\WINDOWS\system32\config\system.LOG

2/2/2006 3:02:50 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DQ3WP8Z\desktop.ini

2/2/2006 3:02:50 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CDU1MBKB\desktop.ini

2/2/2006 3:02:50 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\MVSFGXMN\desktop.ini

2/2/2006 3:02:50 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WPC90BAD\desktop.ini

2/4/2006 8:12:14 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...

Microsoft Corporation 8/23/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 5/30/2003 3:17:20 PM 579584 C:\WINDOWS\SYSTEM32\appwiz.cpl

Logitech Inc. 1/18/2005 4:36:14 PM 282624 C:\WINDOWS\SYSTEM32\camcpl.cpl

Microsoft Corporation 8/29/2002 4:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Microsoft Corporation 8/29/2002 4:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 8/29/2002 4:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 8/29/2002 4:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl

Sun Microsystems 2/22/2004 10:44:42 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl

Apple Computer, Inc. 1/6/2004 3:02:36 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl

Microsoft 3/2/1999 4:10:02 PM 49152 C:\WINDOWS\SYSTEM32\speech.cpl

Microsoft Corporation 8/29/2002 4:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl

Microsoft Corporation 8/29/2002 2:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Microsoft Corporation 8/23/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

8/21/2003 2:58:10 PM 910 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled

11/25/2003 12:50:08 AM 986 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

8/21/2003 1:23:26 PM 1839 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Configuration Utility.lnk

8/21/2003 11:07:16 AM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini

7/29/2005 9:47:30 PM 1895 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

8/21/2003 1:52:36 PM 1730 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk

9/14/2003 1:24:46 PM 519 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Screen Saver Control.lnk

6/3/2004 11:43:08 AM 1780 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Sprint FastConnect virtual assistant.lnk

12/18/2004 11:58:42 PM 808 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\TK8 EasyNote 1.1.lnk

11/11/2005 8:47:12 AM 1075 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\U.S. Robotics Internet Call Notification.lnk

2/4/2006 6:45:06 PM 227840 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\xiwx.exe

Checking files in %ALLUSERSPROFILE%\Application Data folder...

8/21/2003 5:51:22 AM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...

2/4/2006 8:05:56 PM 964 C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Start Menu\Programs\Startup\BJ Status Monitor Canon i560.lnk

8/21/2003 11:07:16 AM HS 84 C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...

8/21/2003 5:51:22 AM HS 62 C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\desktop.ini

5/11/2005 3:08:48 PM 47568 C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ClamWin

{65713842-C410-4f44-8383-BFE01A398C90} = C:\Program Files\ClamWin\bin\ExpShell.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsfyf

{79281bfa-0166-47e3-a987-170475eb8f04} =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fqsfyfkq

{1ae51be2-e6c6-4034-b7f4-e587ea9f2efb} = C:\WINDOWS\System32\flqfm.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ClamWin

{65713842-C410-4f44-8383-BFE01A398C90} = C:\Program Files\ClamWin\bin\ExpShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}

= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{D7F30B62-8269-41AF-9539-B2697FA7D77E} = Pop-Up Blocker : C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dll

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN Toolbar : C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping

MenuText = :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{94148DB5-B42D-4915-95DA-2CBB4F7095BF}

ButtonText = UltimateBet : C:\Program Files\UltimateBet\UltimateBet.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

ButtonText = AIM : C:\Program Files\AIM\aim.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B13B4423-2647-4cfc-A4B3-C7D56CB83487}

ButtonText = Share in Hello :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EFFF8D47-D060-4108-B761-E8EC86622E56}

ButtonText = AbsolutePoker.com : C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{F47C1DB5-ED21-4dc1-853E-D1495792D4C5}

ButtonText = Bodog Poker : C:\Program Files\Bodog Poker\GameClient.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

Media Band = %SystemRoot%\System32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}

Favorites Band = %SystemRoot%\System32\shdocvw.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}

Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

{339BB23F-A864-48C0-A59F-29EA915965EC} = :

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN Toolbar : C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

USRpdA C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

3c1807pd C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd

Motive SmartBridge C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe

AOL Spyware Protection "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

Omnipage C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

LogitechVideoRepair C:\Program Files\Logitech\Video\ISStart.exe

LogitechVideoTray C:\Program Files\Logitech\Video\LogiTray.exe

QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

{0228e555-4f9c-4e35-a3ec-b109a192b4c2} C:\Program Files\Google\Gmail Notifier\gnotify.exe

WindowsUpdate

ClamWin "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

winsync C:\WINDOWS\System32\wkqwaw.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

IMAIL Installed = 1

MAPI Installed = 1

MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

Yahoo! Pager C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

LDM \Program\BackWeb-8876480.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun -1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

3ccrdi C:\WINDOWS\System32\3ccrdi.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

DisableTaskMgr 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

hksrv.dll {9F9F9DA8-51D1-448C-AC8A-49286CA475E2} = hksrv.dll

SysTray.Exgl {636821FC-6F5C-2f1b-B164-E67214F678E2} = C:\WINDOWS\System32\eanpabpb.dll

cqgRFWNHybAffnz {08E31D1A-A249-B7B0-87C4-13544E07915F} = C:\WINDOWS\System32\cbz.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

Shell = explorer.exe

System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 2/4/2006 8:20:16 PM

Track goo scan:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"

"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"

"USRpdA"="C:\\WINDOWS\\SYSTEM32\\USRmlnkA.exe RunServices \\Device\\3cpipe-USRpdA"

"3c1807pd"="C:\\WINDOWS\\SYSTEM32\\3cmlink.exe RunServices \\Device\\3cpipe-3c1807pd"

"Motive SmartBridge"="C:\\PROGRA~1\\SPRINT~1\\SMARTB~1\\MotiveSB.exe"

"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""

"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"

"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "

"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"

"WindowsUpdate"=""

"ClamWin"="\"C:\\Program Files\\ClamWin\\bin\\ClamTray.exe\" --logon"

"winsync"="C:\\WINDOWS\\System32\\wkqwaw.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

-----------------

Thanks again for the help.

Ray

Lets try the manual removal.

Hi,

Please Download the following tools to assist us in removing this infection!

  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    [*]Download Track qoo

    • Save it somewhere you will remember like the Desktop

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    1. Go to the WinPFind folder
    2. Locate WinPFind.txt
    3. Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Danny

Link to post
Share on other sites

Anywho..

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\hgkhch.dll

    C:\WINDOWS\sa22.dll

    C:\WINDOWS\SYSTEM32\hksrv.dll

    C:\WINDOWS\SYSTEM32\locate.com

    C:\WINDOWS\SYSTEM32\perfont.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Next,Please download Rootkit Revealer (link is at the very bottom of the page)

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.

Danny

Link to post
Share on other sites

Hi Danny, here is the RootKitRevealer.txt file. Note: the last entry in the file is timestamped with the date and time I started having problems.

Ray

HKLM\SOFTWARE\Classes\webcal\URL Protocol 6/18/2004 11:12 PM 13 bytes Data mismatch between Windows API and raw hive data.

HKLM\SYSTEM\ControlSet001\Services\sysbus32 2/8/2006 10:24 AM 0 bytes Hidden from Windows API.

HKLM\SYSTEM\ControlSet003\Services\sysbus32 2/8/2006 10:24 AM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Guest.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 12/26/2004 2:44 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Guest.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 12/26/2004 2:44 PM 300 bytes Hidden from Windows API.

C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 12/7/2005 10:38 AM 0 bytes Hidden from Windows API.

C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 12/7/2005 10:38 AM 300 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 2/4/2006 12:48 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#angelfire.com 10/13/2003 10:43 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#angelfire.com\settings.sol 10/13/2003 10:43 PM 83 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bankofamerica.com 12/6/2005 12:31 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bankofamerica.com\settings.sol 12/6/2005 12:31 PM 87 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#chat.alt.com 9/9/2005 9:31 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#chat.alt.com\settings.sol 9/9/2005 9:31 PM 82 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#espn.go.com 5/3/2004 12:06 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#espn.go.com\settings.sol 5/3/2004 12:06 PM 81 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash2.ifriends.net 10/7/2005 3:18 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#flash2.ifriends.net\settings.sol 10/7/2005 3:18 PM 89 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#go.com 10/19/2004 11:58 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#go.com\settings.sol 10/19/2004 11:58 PM 76 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local 7/29/2005 11:36 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol 7/29/2005 11:36 PM 75 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mlb.com 10/14/2004 5:48 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#mlb.com\settings.sol 10/14/2004 5:48 PM 77 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#naiadsystems.com 7/9/2005 12:01 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#naiadsystems.com\settings.sol 7/9/2005 12:01 PM 86 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#orders.webpower.com 10/7/2005 3:18 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#orders.webpower.com\settings.sol 10/7/2005 3:18 PM 89 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.paceadvantage.com 2/21/2005 4:17 PM 0 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.paceadvantage.com\settings.sol 2/21/2005 4:17 PM 91 bytes Hidden from Windows API.

C:\Documents and Settings\Ray Baker.RAY-TWA0MACJQU8\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 2/4/2006 12:48 PM 591 bytes Hidden from Windows API.

C:\WINDOWS\$xpsp1hfm$\Q328310\symbols\sys 9/16/2003 6:42 PM 0 bytes Hidden from Windows API.

C:\WINDOWS\$xpsp1hfm$\Q328310\symbols\sys\win32k.pdb 9/16/2003 6:42 PM 1011.00 KB Hidden from Windows API.

C:\WINDOWS\$xpsp1hfm$\Q329170\symbols\sys 9/16/2003 6:47 PM 0 bytes Hidden from Windows API.

C:\WINDOWS\$xpsp1hfm$\Q329170\symbols\sys\srv.pdb 9/16/2003 6:47 PM 259.00 KB Hidden from Windows API.

C:\WINDOWS\$xpsp1hfm$\Q810577\symbols\sys 9/16/2003 6:43 PM 0 bytes Hidden from Windows API.

C:\WINDOWS\$xpsp1hfm$\Q810577\symbols\sys\mrxsmb.pdb 9/16/2003 6:43 PM 323.00 KB Hidden from Windows API.

C:\WINDOWS\system32\drivers\sysbus32.sys 2/2/2006 2:45 AM 47.71 KB Hidden from Windows API.

Anywho..

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\hgkhch.dll

    C:\WINDOWS\sa22.dll

    C:\WINDOWS\SYSTEM32\hksrv.dll

    C:\WINDOWS\SYSTEM32\locate.com

    C:\WINDOWS\SYSTEM32\perfont.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Next,Please download Rootkit Revealer (link is at the very bottom of the page)

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here.

Danny

Link to post
Share on other sites

Aha! Found the problem :)

  • Please download StartupList to your desktop.
  • Double click the startuplist.zip to extract the files inside.
  • When the new window opens, please double click on StartupList.exe
  • A window will open that will begin listing all of the startups with icons and text. In the lower left hand corner, it will show the status. When it says "ready" in the bottom left corner, it has finished running.
  • At the top of the window, click File>Save As and save startuplist.txt to your desktop.
  • Close startuplist.exe window
    Post a copy of startuplist.txt in your next reply.

Danny :thumbsup:

Link to post
Share on other sites

Ok,

Click Start-> Click Run-> Copy the text below into the Open Run Box and Click OK.

sc delete sysbus32

Click Start-> Right Click My Computer and Select Properties-> Click Hardware-> Click Device Manager

Once the Device Manager Opens-> Click View-> Click Show Hidden Devices

Scroll down that list and Double Click Non-Plug and Play Drivers

Scroll that list-> Locate 32bit system bus driver-> If found-> Right Click and Select Uninstall.

Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • then Click on the "All Files" button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\system32\drivers\sysbus32.sys

    [*] Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    [*]Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.

If your computer does not restart automatically, please restart it manually.

Please run Rootkit Revealer and post that log as well as a new HijackThis log.

Danny :thumbsup:

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.