Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

YOUR SYSTEM IS INFECTED

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Activescan

Unread postby Tommie » September 23rd, 2005, 11:18 am

Incident Status Location

Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\074E3346-A5A5-453B-83FB-DCDDBE\1CD31B2C-A21D-4585-9981-DD8445
Adware:Adware/Popuper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\074E3346-A5A5-453B-83FB-DCDDBE\9DC67252-8970-42F6-8E8C-AD360F
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\074E3346-A5A5-453B-83FB-DCDDBE\BADE5FF3-B4A8-4880-9BCB-5D4010
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\074E3346-A5A5-453B-83FB-DCDDBE\DF066311-82E5-4DB4-888D-E11812
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\37266CB6-0A9C-4946-ABA0-3D5413\055CDB9D-4B16-4410-8477-9FFA2C
Adware:Adware/Popuper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\37266CB6-0A9C-4946-ABA0-3D5413\2397C6A3-8133-4588-9F4E-9714EB
Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\37266CB6-0A9C-4946-ABA0-3D5413\54537367-89FA-4655-921B-97DCB7
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\37266CB6-0A9C-4946-ABA0-3D5413\EE1BD294-8363-4F96-B13A-E42C4C
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\72120865-A8A1-4CA0-8D28-5F9611\47A6A5E1-D46D-4DB2-8C51-9BD398
Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\72120865-A8A1-4CA0-8D28-5F9611\6D9A95BC-7154-43A6-AE28-B32217
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\72120865-A8A1-4CA0-8D28-5F9611\7A45ED4B-DF21-4CA4-BD1F-8A759E
Adware:Adware/Popuper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\72120865-A8A1-4CA0-8D28-5F9611\F3587717-0BC0-4548-9E57-6D67F1
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8ECBFDA4-82F8-416A-8663-6086C3\9C6BF626-5122-496D-91F6-B6CE63
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8ECBFDA4-82F8-416A-8663-6086C3\B3A71F45-28A6-4312-A5F5-1DC747
Adware:Adware/Popuper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8ECBFDA4-82F8-416A-8663-6086C3\DE2C98F2-1F15-4319-8171-8D5340
Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8ECBFDA4-82F8-416A-8663-6086C3\F7AEC0B0-8CCC-4579-87A7-79AD4D
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D4FE8BFE-3EE0-458F-BAFC-FA9D63\193EA8FC-0614-454E-B40F-E6F76B
Adware:Adware/SpySheriff No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D4FE8BFE-3EE0-458F-BAFC-FA9D63\1FF0FB32-139E-447E-A1D4-BE078C
Adware:Adware/SpywareNo No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D4FE8BFE-3EE0-458F-BAFC-FA9D63\BBB99EC8-7DEA-4340-96F9-4EDDAC
Adware:Adware/Popuper No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D4FE8BFE-3EE0-458F-BAFC-FA9D63\EBA0BAAC-09BF-4BF4-8799-70245B
Virus:Trj/Shellbot.B Disinfected C:\RECYCLER\svchost.exe
Adware:adware program No disinfected C:\WINDOWS\flag.bla
Adware:Adware/PsGuard No disinfected C:\WINDOWS\system32\msvol.tlb
Virus:Trj/Shellbot.B Disinfected C:\WINDOWS\system32\vxgame3.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxh8jkdq6.exe
Virus:Trj/Downloader.EYY Disinfected C:\WINDOWS\system32\vxh8jkdq7.exe
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am
Advertisement
Register to Remove

Hijackthis

Unread postby Tommie » September 23rd, 2005, 11:20 am

Logfile of HijackThis v1.99.1
Scan saved at 11:20:15 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: PC-cillin 2002.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2210670561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7350786827
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: 82A44D22-9452-49FB-00FB-CEC7DCAF7E23 - {2850FF81-7735-BB94-313C-3299CC34F5DA} - c:\program files\ea sports\ea sports online\winoqkle32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Tommie » September 23rd, 2005, 11:23 am

Hi kim, there are some quarantine files in my AntiSpyware folder. Should I delete them or should I just leave it quarantined in case there are some important files which the software included? I have did what you requested already. So do you think I have any more viruses in my computer?
Thank you,
Tommie
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 23rd, 2005, 12:25 pm

Hello Tommie,

You may delete those quarantine files in a few days I would say. Let's make sure that your system is running correctly before we do that. Sometimes, very rarely a legitimate file is deleted.

We still have to fix a few things, from the last logs I did request. Also I will have you run two more programs to look and clean up if something is still left behind. This is a new variant you have and leaving behind things is not recommended. I know it is time consuming for you, but better be safe than not. :)

So let's start.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\ShellBot]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions"="yes"


Save it to your desktop as Fix.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fix.reg

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Using killbox delete the following files on reboot:

C:\WINDOWS\flag.bla
C:\WINDOWS\system32\msvol.tlb
C:\WINDOWS\system32\vxgame3.exe
C:\WINDOWS\system32\vxh8jkdq6.exe
C:\WINDOWS\system32\vxh8jkdq7.exe


Add them one by one and reboot only after you did add the last one.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

If not already installed, download and install the VX2 Cleaner 2.0 plugin from Lavasoft by following the instructions below.

Installing VX2 Cleaner 2.0
  1. Close Ad-Aware, if it is currently open.
  2. Download the VX2 Cleaner 2.0 Plug-in here.
  3. Installing the plugin by double clicking on the downloaded file.
______________________________

If Spybot - S&D 1.4 is already installed on your system, skip to Update Spybot - S&D before using it. Otherwise download Spybot - S&D from the following link:
Spybot - Search and Destroy

When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, pressing the Next button until you get to the Select Additional Tasks screen.

Under Permanent protection, make sure to uncheck the following items for now:
  • Use Internet Explorer Protection
  • Use system settings Protection (TeaTimer)
Press the Next button and then the Install button to start the installation process. When the installation process is complete, make sure that Run Teatimer is unchecked.

Launch Spybot - S&D

If you told Spybot to launch when it was done installing, the program should now be open. Otherwise find the icon on your desktop and double-click on it. When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the Next button. Click on the button labeled Start using this program to begin using Spybot - Search & Destroy.

Update Spybot - S&D before using it

Click on the Search for Updates button. If there are available updates, they will be listed. Click on the Download Updates button and Spybot - S&D will download the updates and install them.
______________________________

Start Ad-Aware SE
  • Click on Add-ons
  • Select the VX2 Cleaner plug-in and click Run Tool
  • If your computer isn’t infected, click Close.
    OR
  • If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
  • Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
  • Reboot your computer
  • Run Ad-Aware and Click on the Scan Now Button
    • Choose Perform Full System Scan
    • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
    Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

    Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Repeat this until the VX2 Cleaner reports System clean. Press Close to exit.

Run Ad-Aware one more time and perform a Perform Full System Scan of your computer to make sure VX2 has been found and removed.

Note: If the VX Cleaner does not find anything, I still want you to Perform a Full System Scan with the settings above.
______________________________

Run Spybot - S&D

Click the button Check for Problems
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.
______________________________

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Navigate to C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs, click twice on the column header Modified by Date to sort by date. Post the content of the most recent log named Checks.<numbers>.txt or Fixes.<numbers>.txt
______________________________

From the regfiles I did ask:
"Enable Browser Extensions"="REG_SZ:no"
Tommie, did someone make you run a fix already for this infection ? Please answer that honestly because I have to find out if that error was caused by the smitrem fix or not. I did set the option to "yes" in my regfix, which should be the default value since the Radio Toolbar did appear in IE.
More information on the settings of this option can be found at:
http://support.microsoft.com/default.as ... -us;298931

Why are you starting the volume control from your Startup folder?
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\SYSTEM32\sndvol32.exe
______________________________

A final check for malware:

Download WinPFind.zip to your Desktop from
http://www.bleepingcomputer.com/files/winpfind.php
Extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners to your Desktop.
______________________________

Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file at C:\WinPFind\WinPFind.txt. Pleased copy that log to your next reply.
______________________________

Run Silent Runner's by doubleclicking the Silent Runners icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", it will produce a log named “StartupProgramsâ€
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Spybot Fixes

Unread postby Tommie » September 23rd, 2005, 2:06 pm

--- Report generated: 2005-09-24 01:41 ---

Smitfraud-C.: Library (File, fixed)
C:\WINDOWS\system32\zlbw.dll

SurfSideKick: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Internet Explorer\Security\rpt

SurfSideKick: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Internet Explorer\Security\sox_id

SurfSideKick: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Internet Explorer\Security\sox_ver

Windows Security Center.SP2Update: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Windows Security Center.FirewallDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8\:Range

Zonemap.Ranges: User settings (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1547161642-2077806209-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

Zonemap.Ranges: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8\:Range

Zonemap.Ranges: Settings (Registry value, fixed)
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9\:Range

Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-09-24 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-09-23 Includes\Cookies.sbi (*)
2005-09-23 Includes\Dialer.sbi (*)
2005-09-23 Includes\Hijackers.sbi (*)
2005-09-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-09-23 Includes\Malware.sbi (*)
2005-09-23 Includes\PUPS.sbi (*)
2005-09-23 Includes\Revision.sbi (*)
2005-09-23 Includes\Security.sbi (*)
2005-09-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-09-23 Includes\Trojans.sbi (*)
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

WINPFIND Scan

Unread postby Tommie » September 23rd, 2005, 2:10 pm

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/22/2004 5:04:56 PM 69120 C:\WINDOWS\daemon.dll
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 9/21/2005 9:12:06 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/21/2005 9:12:04 PM 15863057 C:\WINDOWS\VPTNFILE.851
qoologic 9/21/2005 9:12:04 PM 15863057 C:\WINDOWS\VPTNFILE.851
SAHAgent 9/21/2005 9:12:04 PM 15863057 C:\WINDOWS\VPTNFILE.851
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/23/2001 11:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 5/15/2004 4:10:42 PM 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 6/19/2004 6:28:44 PM 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 11:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
UPX! 7/26/2005 8:18:08 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 7/26/2005 8:18:08 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/24/2005 1:44:26 AM S 2048 C:\WINDOWS\bootstat.dat
8/6/2005 1:15:42 AM H 54156 C:\WINDOWS\QTFont.qfn
8/6/2005 7:15:00 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/22/2005 9:00:24 AM H 0 C:\WINDOWS\inf\oem17.inf
8/6/2005 5:10:24 PM H 0 C:\WINDOWS\inf\oem8.inf
8/6/2005 5:11:24 PM RHS 25565 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
8/6/2005 5:11:24 PM RHS 25529 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
8/6/2005 5:11:24 PM RHS 26316 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
8/6/2005 5:11:24 PM RHS 26386 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
8/6/2005 5:11:24 PM RHS 26656 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
8/6/2005 5:11:24 PM RHS 26651 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
8/6/2005 5:11:24 PM RHS 26254 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
8/6/2005 5:11:24 PM RHS 26107 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
8/6/2005 5:11:26 PM RHS 26448 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
8/6/2005 5:11:26 PM RHS 25852 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
8/6/2005 5:11:26 PM RHS 26289 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
8/6/2005 5:11:26 PM RHS 26382 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
8/6/2005 5:11:26 PM RHS 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
8/6/2005 5:11:26 PM RHS 25895 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
8/6/2005 5:11:26 PM RHS 26493 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
8/6/2005 5:11:26 PM RHS 26228 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
8/6/2005 5:11:26 PM RHS 26466 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
8/6/2005 5:11:28 PM RHS 26282 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
8/6/2005 5:11:28 PM RHS 26319 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
8/6/2005 5:11:28 PM RHS 26283 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
8/6/2005 5:05:44 PM RHS 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
8/6/2005 5:11:28 PM RHS 26289 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
8/6/2005 5:11:28 PM RHS 26125 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
9/22/2005 9:24:04 AM RHS 305145 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
9/22/2005 9:26:18 AM RHS 68327 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_55.cab
8/6/2005 5:05:46 PM RHS 27774 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
8/6/2005 5:11:20 PM RHS 26172 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
8/6/2005 5:11:22 PM RHS 25958 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
9/24/2005 1:45:04 AM H 1024 C:\WINDOWS\system32\config\default.LOG
9/24/2005 1:44:32 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/24/2005 1:45:04 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/24/2005 2:05:38 AM H 1024 C:\WINDOWS\system32\config\software.LOG
9/24/2005 1:56:36 AM H 1024 C:\WINDOWS\system32\config\system.LOG
9/21/2005 11:21:22 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/9/2005 11:34:46 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4ca382d6-1e83-4c41-a726-396d90a0644c
8/9/2005 11:34:46 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/24/2005 1:44:30 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 1:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 6/15/2005 5:20:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Trend Micro Inc. 10/27/2003 3:38:54 PM 106496 C:\WINDOWS\SYSTEM32\PCCSet.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
NVIDIA Corporation 8/30/2002 3:06:00 PM R 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/24/2005 2:34:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/26/2005 8:03:06 PM 1665 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PC-cillin 2002.lnk
9/22/2005 12:14:16 AM 772 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
7/24/2005 8:02:40 PM 1522 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Volume Control.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/24/2005 10:23:44 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/8/2005 12:33:46 AM 207 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
7/24/2005 2:34:38 PM HS 84 C:\Documents and Settings\Chan Liwei\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2005 11:37:12 PM 877 C:\Documents and Settings\Chan Liwei\Application Data\AdobeDLM.log
7/24/2005 10:23:44 PM HS 62 C:\Documents and Settings\Chan Liwei\Application Data\desktop.ini
8/10/2005 11:37:12 PM 0 C:\Documents and Settings\Chan Liwei\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
CLSID = {0000031A-0000-0000-C000-000000000046} :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
pccguide.exe "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE" /background
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
UserAccess7 2
PavPrSrv 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^3Deep.lnk
backup C:\WINDOWS\pss\3Deep.lnkCommon Startup
location Common Startup
item 3Deep
backup C:\WINDOWS\pss\3Deep.lnkCommon Startup
location Common Startup
item 3Deep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk
backup C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpobnz08.exe
item hp psc 2000 Series
backup C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpobnz08.exe
item hp psc 2000 Series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk
backup C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
location Common Startup
item Image Transfer
backup C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
location Common Startup
item Image Transfer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SonnReg.lnk
backup C:\WINDOWS\pss\SonnReg.lnkCommon Startup
location Common Startup
item SonnReg
backup C:\WINDOWS\pss\SonnReg.lnkCommon Startup
location Common Startup
item SonnReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^True Internet Color Icon.lnk
backup C:\WINDOWS\pss\True Internet Color Icon.lnkCommon Startup
location Common Startup
item True Internet Color Icon
backup C:\WINDOWS\pss\True Internet Color Icon.lnkCommon Startup
location Common Startup
item True Internet Color Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\aupd
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sysvcs
hkey HKCU
inimapping 0
command C:\WINDOWS\System32\sysvcs.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sysvcs
hkey HKCU
inimapping 0
command C:\WINDOWS\System32\sysvcs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools-1033
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Explorer32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item efsdfgxg
hkey HKLM
command C:\WINDOWS\System32\efsdfgxg.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item efsdfgxg
hkey HKLM
command C:\WINDOWS\System32\efsdfgxg.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Jet Detection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ADGJDet
hkey HKLM
command "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ADGJDet
hkey HKLM
command "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RUNDLL32
hkey HKLM
command RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RUNDLL32
hkey HKLM
command RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SNInstall
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
inimapping 0
command C:\winstall.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
inimapping 0
command C:\winstall.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySheriff
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SpySheriff
hkey HKCU
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SpySheriff
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kernels32
hkey HKLM
command C:\WINDOWS\System32\kernels32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kernels32
hkey HKLM
command C:\WINDOWS\System32\kernels32.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdReg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows installer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
command C:\winstall.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winstall
hkey HKCU
command C:\winstall.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Registry Repair Pro
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RegistryRepairPro
hkey HKCU
command C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RegistryRepairPro
hkey HKCU
command C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WindowsUpdate
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vxgame3
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vxgame3
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 1
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
82A44D22-9452-49FB-00FB-CEC7DCAF7E23 {2850FF81-7735-BB94-313C-3299CC34F5DA} = c:\program files\ea sports\ea sports online\winoqkle32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/24/2005 2:08:31 AM

By the way, about "From the regfiles I did ask:
"Enable Browser Extensions"="REG_SZ:no"
Tommie, did someone make you run a fix already for this infection ? Please answer that honestly because I have to find out if that error was caused by the smitrem fix or not. I did set the option to "yes" in my regfix, which should be the default value since the Radio Toolbar did appear in IE. " I think I haven't seen this file yet so I think i did not run a fix for this infection. Is it possible that other virus scan software will automatically fix it for me? Sorry if I brought u a lot of inconvenience.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Silent Runners Scan

Unread postby Tommie » September 23rd, 2005, 2:14 pm

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"pccguide.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"" ["Trend Micro Inc."]
"PCCClient.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"" ["Trend Micro Inc."]
"Pop3trap.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"" ["Trend Micro Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2002\VBProp.dll" ["Trend Micro Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"82A44D22-9452-49FB-00FB-CEC7DCAF7E23" = "{2850FF81-7735-BB94-313C-3299CC34F5DA}"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\ea sports\ea sports online\winoqkle32.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Chan Liwei\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Chan Liwei" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"PC-cillin 2002" -> shortcut to: "C:\Program Files\Trend Micro\PC-cillin 2002\pccmain.exe" ["Trend Micro Inc."]
"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"]
"Volume Control" -> shortcut to: "C:\WINDOWS\system32\sndvol32.exe" [MS]


Enabled Scheduled Tasks:
------------------------

"FRU Task #Hewlett-Packard#hp psc 2100 series#1123601613" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 2100 series#1123601613"" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
PC-cillin PersonalFirewall, PCCPFW, "C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe" ["Trend Micro Inc."]
Trend NT Realtime Service, Tmntsrv, ""C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe"" ["Trend Micro Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 53 seconds, including 18 seconds for message boxes)
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 24th, 2005, 10:15 am

Hello Tommie,

Let's move on with the fixes, we've got still some work to do.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Windows\CurrentVersion\ShellBot]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions"="yes"

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range0]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range10]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range11]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range2]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range3]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range4]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range6]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range7]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range8]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range9]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\aupd]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Explorer32]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SNInstall]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySheriff]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows installer]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WindowsUpdate]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"82A44D22-9452-49FB-00FB-CEC7DCAF7E23"=-


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

O21 - SSODL: 82A44D22-9452-49FB-00FB-CEC7DCAF7E23 - {2850FF81-7735-BB94-313C-3299CC34F5DA} - c:\program files\ea sports\ea sports online\winoqkle32.dll (file missing)

Close ALL windows and browsers except HijackThis and click Fix Checked

Delete the following files if still present:

C:\WINDOWS\System32\sysvcs.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\winstall.exe
C:\WINDOWS\System32\kernels32.exe
c:\program files\ea sports\ea sports online\winoqkle32.dll

______________________________

Start Spybot S&D, run a scan and let it fix everything. Close Spybot S&D

Navigate to C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs, click twice on the column header Modified by Date to sort by date. Post the content of the most recent log named Checks.<numbers>.txt or Fixes.<numbers>.txt
______________________________

Open the C:\WinPFind folder and double-click on WinPFind.exe.
Click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file at C:\WinPFind\WinPFind.txt. Pleased copy that log to your next reply.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Search And Destroy

Unread postby Tommie » September 24th, 2005, 10:52 am

--- Report generated: 2005-09-24 22:49 ---

Avenue A, Inc.: Tracking cookie (Internet Explorer: Chan Liwei) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-09-24 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-09-23 Includes\Cookies.sbi (*)
2005-09-23 Includes\Dialer.sbi (*)
2005-09-23 Includes\Hijackers.sbi (*)
2005-09-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-09-23 Includes\Malware.sbi (*)
2005-09-23 Includes\PUPS.sbi (*)
2005-09-23 Includes\Revision.sbi (*)
2005-09-23 Includes\Security.sbi (*)
2005-09-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-09-23 Includes\Trojans.sbi (*)
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

WinPFind

Unread postby Tommie » September 24th, 2005, 11:12 am

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 8/22/2004 5:04:56 PM 69120 C:\WINDOWS\daemon.dll
PECompact2 9/22/2005 1:45:14 PM 15881841 C:\WINDOWS\LPT$VPN.855
qoologic 9/22/2005 1:45:14 PM 15881841 C:\WINDOWS\LPT$VPN.855
SAHAgent 9/22/2005 1:45:14 PM 15881841 C:\WINDOWS\LPT$VPN.855
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 9/21/2005 9:12:06 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/22/2005 1:45:14 PM 15881841 C:\WINDOWS\VPTNFILE.855
qoologic 9/22/2005 1:45:14 PM 15881841 C:\WINDOWS\VPTNFILE.855
SAHAgent 9/22/2005 1:45:14 PM 15881841 C:\WINDOWS\VPTNFILE.855
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/23/2001 11:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 5/15/2004 4:10:42 PM 75264 C:\WINDOWS\SYSTEM32\MACDec.dll
UPX! 6/19/2004 6:28:44 PM 177152 C:\WINDOWS\SYSTEM32\MonkeySource.ax
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 11:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
UPX! 7/26/2005 8:18:08 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS
aspack 7/26/2005 8:18:08 PM 962672 C:\WINDOWS\SYSTEM32\drivers\VSAPINT.SYS

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/24/2005 8:31:42 PM S 2048 C:\WINDOWS\bootstat.dat
8/6/2005 1:15:42 AM H 54156 C:\WINDOWS\QTFont.qfn
8/6/2005 7:15:00 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/22/2005 9:00:24 AM H 0 C:\WINDOWS\inf\oem17.inf
8/6/2005 5:10:24 PM H 0 C:\WINDOWS\inf\oem8.inf
8/6/2005 5:11:24 PM RHS 25565 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
8/6/2005 5:11:24 PM RHS 25529 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
8/6/2005 5:11:24 PM RHS 26316 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
8/6/2005 5:11:24 PM RHS 26386 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
8/6/2005 5:11:24 PM RHS 26656 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
8/6/2005 5:11:24 PM RHS 26651 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
8/6/2005 5:11:24 PM RHS 26254 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
8/6/2005 5:11:24 PM RHS 26107 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
8/6/2005 5:11:26 PM RHS 26448 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
8/6/2005 5:11:26 PM RHS 25852 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
8/6/2005 5:11:26 PM RHS 26289 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
8/6/2005 5:11:26 PM RHS 26382 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
8/6/2005 5:11:26 PM RHS 26290 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
8/6/2005 5:11:26 PM RHS 25895 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
8/6/2005 5:11:26 PM RHS 26493 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
8/6/2005 5:11:26 PM RHS 26228 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
8/6/2005 5:11:26 PM RHS 26466 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
8/6/2005 5:11:26 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
8/6/2005 5:11:28 PM RHS 26282 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
8/6/2005 5:11:28 PM RHS 26319 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
8/6/2005 5:11:28 PM RHS 26283 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
8/6/2005 5:05:44 PM RHS 70111 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
8/6/2005 5:11:28 PM RHS 26289 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
8/6/2005 5:11:28 PM RHS 26125 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
8/6/2005 5:11:28 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
9/22/2005 9:24:04 AM RHS 305145 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
9/22/2005 9:26:18 AM RHS 68327 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_55.cab
8/6/2005 5:05:46 PM RHS 27774 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
8/6/2005 5:11:20 PM RHS 26172 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
8/6/2005 5:11:22 PM RHS 25958 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
8/6/2005 5:11:24 PM RHS 10469 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
9/24/2005 10:37:48 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/24/2005 8:31:50 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/24/2005 8:32:12 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/24/2005 11:09:20 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/24/2005 10:11:02 PM H 1024 C:\WINDOWS\system32\config\system.LOG
9/21/2005 11:21:22 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
8/9/2005 11:34:46 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4ca382d6-1e83-4c41-a726-396d90a0644c
8/9/2005 11:34:46 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/24/2005 8:31:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 1:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 6/15/2005 5:20:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Trend Micro Inc. 10/27/2003 3:38:54 PM 106496 C:\WINDOWS\SYSTEM32\PCCSet.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 11:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
NVIDIA Corporation 8/30/2002 3:06:00 PM R 118784 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/24/2005 2:34:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/26/2005 8:03:06 PM 1665 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PC-cillin 2002.lnk
9/22/2005 12:14:16 AM 772 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
7/24/2005 8:02:40 PM 1522 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Volume Control.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/24/2005 10:23:44 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/8/2005 12:33:46 AM 207 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
7/24/2005 2:34:38 PM HS 84 C:\Documents and Settings\Chan Liwei\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/10/2005 11:37:12 PM 877 C:\Documents and Settings\Chan Liwei\Application Data\AdobeDLM.log
7/24/2005 10:23:44 PM HS 62 C:\Documents and Settings\Chan Liwei\Application Data\desktop.ini
8/10/2005 11:37:12 PM 0 C:\Documents and Settings\Chan Liwei\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2002\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
CLSID = {0000031A-0000-0000-C000-000000000046} :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
pccguide.exe "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCClient.exe "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE" /background
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
UserAccess7 2
PavPrSrv 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^3Deep.lnk
backup C:\WINDOWS\pss\3Deep.lnkCommon Startup
location Common Startup
item 3Deep
backup C:\WINDOWS\pss\3Deep.lnkCommon Startup
location Common Startup
item 3Deep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk
backup C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpobnz08.exe
item hp psc 2000 Series
backup C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpobnz08.exe
item hp psc 2000 Series

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe
backup C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
item hpoddt01.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk
backup C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
location Common Startup
item Image Transfer
backup C:\WINDOWS\pss\Image Transfer.lnkCommon Startup
location Common Startup
item Image Transfer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SonnReg.lnk
backup C:\WINDOWS\pss\SonnReg.lnkCommon Startup
location Common Startup
item SonnReg
backup C:\WINDOWS\pss\SonnReg.lnkCommon Startup
location Common Startup
item SonnReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^True Internet Color Icon.lnk
backup C:\WINDOWS\pss\True Internet Color Icon.lnkCommon Startup
location Common Startup
item True Internet Color Icon
backup C:\WINDOWS\pss\True Internet Color Icon.lnkCommon Startup
location Common Startup
item True Internet Color Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CTHELPER
hkey HKLM
command CTHELPER.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools-1033
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item daemon
hkey HKLM
command "C:\Program Files\D-Tools\daemon.exe" -lang 1033
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IMJPMIG
hkey HKLM
command C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Jet Detection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ADGJDet
hkey HKLM
command "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ADGJDet
hkey HKLM
command "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RUNDLL32
hkey HKLM
command RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RUNDLL32
hkey HKLM
command RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item NvMcTray
hkey HKLM
command RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nwiz
hkey HKLM
command nwiz.exe /install
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TINTSETP
hkey HKLM
command C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UpdReg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdReg
hkey HKLM
command C:\WINDOWS\UpdReg.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Registry Repair Pro
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RegistryRepairPro
hkey HKCU
command C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RegistryRepairPro
hkey HKCU
command C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 2
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoComponents 0
NoAddingComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoHTMLWallPaper 1
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoDispAppearancePage 0
NoColorChoice 0
NoSizeChoice 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/24/2005 11:11:05 PM
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Tommie » September 24th, 2005, 11:27 am

Kim, I have a query. Is it true that virus can affect your surfing speed? When I am surfing the net, it seems to have slowed down than before. Or perhaps virus will affect my browser? I have no idea at all.
Thanks,
Tommie
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 24th, 2005, 11:52 am

In a certain way it can affect browsing speed, since a lot of spyware/malware does report back to their servers and / or download other components.

A firewall that is able to inspect webpages, an adblocking program is also able to slow down a browser when the page is loading...
I see that you have a similar program from PC Cillin in your running processes - C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE

Part of PC-Cillin anti-virus software. Checks web-sites for malicious Java and ActiveX elements in a similar way to McAfee WebScanX. A few users find it infuriating

http://castlecops.com/modules.php?name= ... ebTrap.EXE

I don't see anything else in your logs, are you still having problems ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Tommie » September 24th, 2005, 11:57 am

The only problem now I think is that when I surf the net, it's very slow. Sometimes it takes quite sometime for me to load yahoo.com. In the past, it's very fast. So I don't know what causes this. Is it because I have too much anti spyware programs and stuffs like that? Currently, I have Microsoft antispyware, Pc Cillin, Ewido and Trend Micro Anti spyware turned on. Could this be the reason?
Thank You,
tommie
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Kimberly » September 24th, 2005, 2:25 pm

Yes, Tommie this may be the reason, furthermore real time protections that perform the same tasks may even conflict. From your HijackThis log entry I see that you are running Ewido Guard indeed. Be warned, this service can demand a lot of ressources. I did leave it enabled for a few hours on my P4 3.06 with 1 Gig of RAM and I did notice a real slowdown while browsing webpages.
Try with less items enabled and see if your surfing is better. If you are using a hosts file by any chance, you should set the DNS service to manually or even disabled, this can also cause a similar effect.
______________________________

Below are a few things to do and some tips to stay clean.

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

Hide your system files again.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading uncheck Show hidden files and folders.
  6. Check the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Click OK.
______________________________

If you wish, re-enable Microsoft AntiSpyware
______________________________

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Download and install the following free programs
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's Hosts Manager here
Install Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

Let me know if you did manage to speed up your browsing.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Tommie » September 25th, 2005, 1:52 am

Kim, I guessed my computer has been cleared from viruses. I took your advice from your previous post and I hope the virus won't attack me again. Thanks for constantly helping me, without you, I think the virus will not be removed so fast. Thank you very much!! You are a genius!!!!!! Thank YOU!!!May God Bless You in everything u do!!!! Thank You!!!!

Tommie
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware