Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Horse - Backdoor.Generic2.AKA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby wonderwill » December 27th, 2005, 12:49 pm

kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 27, 2005 16:46:55
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/12/2005
Kaspersky Anti-Virus database records: 167797
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29632
Number of viruses found: 10
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 2618 sec

Infected Object Name - Virus Name
C:\!KillBox\avpe64.sys Infected: Backdoor.Win32.Haxdoor.fr
C:\!KillBox\qz.sys Infected: Backdoor.Win32.Haxdoor.fr
C:\!KillBox\winupdt.exe Infected: Backdoor.Win32.Haxdoor.fr
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm/eied_s7.htm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\init[1].js Infected: Trojan-Downloader.JS.IstBar.af
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ad
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].htm Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php/packed Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php Infected: Trojan-Downloader.JS.Codebase.c
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP4\A0003384.ini Infected: not-a-virus:AdWare.Win32.Sahat.am
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP4\A0000613.exe Infected: Trojan-Downloader.Win32.Femad.ae
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP6\A0000717.sys Infected: Backdoor.Win32.Haxdoor.fr
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP6\A0000718.exe Infected: Backdoor.Win32.Haxdoor.fr
C:\System Volume Information\_restore{92CD6F44-7009-4606-B3BB-FCDDE3FB05EE}\RP6\A0000719.sys Infected: Backdoor.Win32.Haxdoor.fr

Scan process completed.

Kim - Just to let you know, I will not have access to this pc from 28 Dec for one week as I will be on holiday.
Rgds
Ww
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Advertisement
Register to Remove

Unread postby wonderwill » December 27th, 2005, 1:03 pm

Kim

Just to make you aware I am now having problems updating Windows as the MS site is saying that this is a blocked licence key version. I have been able to update until the last few operations I carried out?
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 27th, 2005, 1:14 pm

Hello wonderwill,

I'm very pleased with the results, looks like we nailed it. :)

Let's remove leftovers from the registry. The rootkit didn't load in Normal Mode, just like we did think. :)

Click Start then Run
Type in regedit
Click Ok.

In left pane of registry editor, Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AVPE64
If LEGACY_AVPE64 exists then right click on it and choose Delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_AVPE64
If LEGACY_AVPE64 exists then right click on it and choose Delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AVPE64
If LEGACY_AVPE64 exists then right click on it and choose Delete from the menu.

If you have trouble deleting a key, click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.
______________________________

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click Apply then OK.
______________________________

Delete the folder : C:\!KillBox - backups made by Killbox
______________________________

Please reset System Restore to remove eventual backups of the spyware and trojans.

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

About the huge Rootkit Revealer log, found the explanation for all the entries that have "Visible in Windows API, MFT, but not in directory index" - it seems to be a bug on certains computers with the 1.6 version, 1.56 does not have this bug.

Delete the actual Rootkit Revealer version you have, replace with this one:
http://www.sysinternals.com/Forum/uploa ... r_1.56.zip

Do a scan and save the log. Post as a reply please. (Just to doublecheck that everything is ok)
______________________________

I'll will see what I can find about the Windows Update problem, lot's of people have trouble with the Windows Update site lately. Maybe it did happend because you switched from Home Edition SP1 to Professional SP2 while having malware on board. It's possible that you will have to contact Microsoft about that borked licence problem.

In meanwhile you can still update manually if you want, below are a few links.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/offic ... fault.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/securi ... fault.mspx

Recently Published
http://www.microsoft.com/technet/securi ... fault.mspx
______________________________

Please post the rkr log, a new HijackThis log and let me know how the PC behaves.

Kim - Just to let you know, I will not have access to this pc from 28 Dec for one week as I will be on holiday.


I'll be still around when you come back, PC should be clean now and we'll leave the topic open. Enjoy the holiday. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » December 27th, 2005, 2:09 pm

Kim

Many thanks once again.

Here is Rootkit log and hijack.

Still purturbed about the windows update which was working. However, the big question is, how did it all become infected so quickly and can I prevent in the future with any monitoring software other than Zone Alarm and AVG?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\CyberScrub® Privacy Suite 12/23/2005 16:09 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberScrub® Privacy Suite 12/27/2005 17:47 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 12/27/2005 17:48 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 12/27/2005 17:48 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\073163CDd01 12/27/2005 17:57 16.62 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\18E08D69d01 12/27/2005 18:03 78.78 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\1B0D78F4d01 12/27/2005 18:00 20.52 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\2D796A6Ad01 12/27/2005 18:01 38.79 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\58CC45AAd01 12/27/2005 18:02 30.81 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\5FC89581d01 12/27/2005 18:02 43.82 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\6455A846d01 12/27/2005 18:00 20.87 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\7ECE1141d01 12/27/2005 17:57 20.95 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\9779C40Dd01 12/27/2005 18:00 809.89 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\A7C15A40d01 12/27/2005 18:01 18.06 KB Hidden from Windows API.
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Mozilla\Firefox\Profiles\afeby63j.default\Cache\DA8598D5d01 12/27/2005 17:57 22.22 KB Hidden from Windows API.
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » December 27th, 2005, 2:11 pm

Kim

Hijackthis log.

Rgds and thanks - Ww

Logfile of HijackThis v1.99.1
Scan saved at 18:10:09, on 27/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OJDGKR - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » December 27th, 2005, 2:47 pm

Rkr log is fine now and HijackThis log is clean.

Still purturbed about the windows update which was working. However, the big question is, how did it all become infected so quickly and can I prevent in the future with any monitoring software other than Zone Alarm and AVG?


HijackThis log :
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249

You have the update control installed, dunno if it saves info about the licence key somewhere ...
A way to check if you licence key is valid - could tell you if the problem is the key or the eventual stored info on your PC:
http://www.microsoft.com/resources/howt ... fault.mspx
http://www.microsoft.com/piracy/Reporting_FAQ.mspx

Haxdoor can hide files, usually windows update does not work at all. Is C:\WINDOWS\system32\qmgr.dll on your system ? Any idea when this first happend ?

Can you post or email me C:\windows\WindowsUpdate.log - I might be able to see what is wrong.

Spywareblaster, IESpyadd, SpywareGuard or Firetrust toolbar, a hosts file are a good start. They contain a list of bad CLSID and bad sites thus preventing you from getting to those sites in the first place. High IE security settings are recommend too. For a description of the programs and more security features see below.

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/offic ... fault.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/securi ... fault.mspx

Recently Published
http://www.microsoft.com/technet/securi ... fault.mspx

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Take the time to check out the following links

Resources for using Internet Explorer 6
http://support.microsoft.com/?kbid=867470

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/iesecxp.mspx]

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwa ... ilies.mspx

Keep your Sun Java up to date

The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6

To check if you have the latest version installed and get the needed updates, please go to the link below:
http://www.java.com/en/download/windows_automatic.jsp
You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to check your Java Software.

Or you can get the manual download here:
http://www.java.com/en/download/manual.jsp

Check in your Control Panel, under Add/Remove programs and uninstall ALL older versions of Sun Java. And in the future, remember to remove older versions of Java when you automatically update to a newer version to avoid exploitation of older versions left on your system.

Check out these topics for more information:
http://spywarewarrior.com/viewtopic.php?t=17910
http://spywarewarrior.com/viewtopic.php?t=17598

Download and install the following free programs
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's Hosts Manager here
Install Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Ewido Security Suite

Realtime protection against these threats:
  • Hijackers and Spyware
    Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.
  • Worms
    Nobody should receive e-mails in your name with malicious files in the appendix anymore.
  • Dialers
    Security against all kinds of dialers. No fear when receiving the next phone bill.
  • Trojans and Keyloggers
    No chance for thieves to steal your bank data and personal sensitive information by tapped Internet connections, remote controlled webcams or secret keyboard recordings.
Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends, the real-time protection and the automatic update feature will stop working. You still will be able to update the program manually.
You can download Ewido Security Suite here
Ewido manual updates. Make sure to close Ewido before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.
  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
  • Fraudulent claims or scams
  • Offensive material
  • Security vulnerabilities
  • Spyware or Adware
  • Spam related material
  • or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Forgot to answer this :
You are quite correct, this pc did start out life as Windows 98 and then I installed XP home and then Professional. Yes I have a disk. It allows me to upgrade and therefore I assume it will act as a full installation disk??

Yes, it will act as a full install disk, no need to install win98 before installing XP if you ever format and reinstall.

I'll check if your Update issue is related to Haxdoor, in meanwhile secure the PC a little bit and try to check out the licence info on the MS site and post / send the WindowsUpdate.log

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » December 27th, 2005, 3:18 pm

Forgot to ask, were you able to go to the Windows Update site since you did install Professional SP2 on top of your existing XP install ? Did the new disk (Professional) prompt for a new serial key to enter when you did install ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » January 4th, 2006, 6:49 am

Hi Kim

On 27 Dec I carried out the actions as you requested. Out of interest I ran Kaspersky online and it is still showing a number of viruses and infected files. I am attaching a Kaspersky log and a Hijack This log together with the windows update log which does not seem to show anything after 22 Sept which is not accurate:

2005-08-20 15:49:37 Success IUCTL Starting
2005-08-20 15:49:37 Success IUCTL Shutting down
2005-09-17 18:15:08 Success CDM Starting
2005-09-17 18:15:17 Success CDM Shutting down
2005-09-17 19:11:24 Success IUCTL Starting
2005-09-17 19:11:24 Success IUCTL Shutting down
2005-09-20 16:25:04 Success CDM Starting
2005-09-20 16:26:36 Success CDM Shutting down
2005-09-20 17:40:17 Success CDM Starting
2005-09-20 17:40:24 Success CDM Shutting down
2005-09-21 20:01:25 Success CDM Starting
2005-09-21 20:02:03 Success CDM Shutting down
2005-09-22 19:36:46 Success CDM Starting
2005-09-22 19:36:46 Success IUCTL Starting
2005-09-22 19:36:53 Success IUCTL Downloaded iuident.cab from http://windowsupdate.microsoft.com/v4/iuident.cab
2005-09-22 19:36:53 Success IUCTL Checking to see if new version of Windows Update software available
2005-09-22 19:36:53 Success IUENGINE Starting
2005-09-22 19:36:57 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/ ... nifest.asp
2005-09-22 19:36:57 Error IUENGINE Finding matching driver for DISPLAY\DEL7005\4&76EBD97&0&80861100&00&02 (Error 0x80004005: Unspecified error)
2005-09-22 19:37:03 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/ ... nifest.asp
2005-09-22 19:37:04 Error IUENGINE Finding matching driver for DISPLAY\DEL7005\4&76EBD97&0&80861100&00&02 (Error 0x80004005: Unspecified error)
2005-09-22 19:37:07 Success IUENGINE Shutting down
2005-09-22 19:37:07 Success IUCTL Shutting down
2005-09-22 19:37:07 Success CDM Shutting down
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » January 4th, 2006, 6:50 am

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 04, 2006 10:47:42
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/01/2006
Kaspersky Anti-Virus database records: 168951
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 31611
Number of viruses found: 8
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 2843 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm/eied_s7.htm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\init[1].js Infected: Trojan-Downloader.JS.IstBar.af
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ad
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].htm Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php/packed Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php Infected: Trojan-Downloader.JS.Codebase.c
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP4\A0003384.ini Infected: not-a-virus:AdWare.Win32.Sahat.am

Scan process completed.
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » January 4th, 2006, 6:51 am

Logfile of HijackThis v1.99.1
Scan saved at 10:50:46, on 04/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OJDGKR - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » January 4th, 2006, 12:06 pm

The HijackThis log is clean, Files are in Internet content, Close all browsers and clean Internet content.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click Apply then OK.
  • Click OK.
______________________________

Turn off System Restore
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  4. Click Yes when you receive the prompt to the turn off System Restore.
Reboot your computer.

Turn System Restore back on
  1. Click Start, right-click My Computer, and then click Properties.
  2. Click the System Restore tab.
  3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
A new restore point will be created automatically.
______________________________

Run HijackThis, click on Open the Misc Tools Section, click on Open Uninstall Manager. Click on Save List and save uninstall_list.txt to your Desktop. Open this file in Notepad and copy/past the content in your reply.
Click back (the one located at the right side of the save list button)
Put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/past the content in your reply.

Any chance that you have a program called bearshare installed ?

Strange indeed about Windows Updates, gonna see if I can find back some steps to try out to get it running.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » January 5th, 2006, 9:48 am

Kim

Unistall & start up list as requested. Re Bearshare, when I ran a search bearshare.def came up under Cyberscrub but no specific programme installed. Contents of def file as follows:

FILEVERSION 400100

AREA internetprivacy
FILTER PEER2PEER

FULLNAME "BearShare"
DESCRIPTION "Wipes sensitive information stored by BearShare"
DESCRIPTION "on your computer"

defvar chk1=""
defvar chk2=""
defvar chk3="set"
defvar chk4=""
defvar path=""
defvar ipath=""
defvar iexepath=""
defvar drive=""
defvar downloads=""
defvar tmpfile=""
defvar APPFILTER_VISIBLE=""


; check if the software is installed

target installed

; try to locate registry key for program location

rundll eraserdll.getregvalue("HKEY_LOCAL_MACHINE\Software\BearShare","InstallDir")
getres ipath

; if not found, the application is not installed

switch(ipath)
case ("")
uncheck
rundll eraserdll.show_message("Application not found on your computer","I")
endcase
elsecase
; if found, try to locate the exe file

rundll eraserdll.find("BearShare.exe",ipath)
getres iexepath

switch (iexepath)
case ("")
uncheck
rundll eraserdll.show_message("Application not found on your computer","I")
endcase
endswitch
endswitch

endtarget


; detect the program paths where sensitive data will be erased from

target autodetect

rundll eraserdll.getregvalue("HKEY_LOCAL_MACHINE\Software\BearShare","InstallDir")
getres path

rundll eraserdll.delete_after(path,":")
getres drive

rundll eraserdll.concatstr(drive,":\My Downloads")
getres downloads

SWITCH(PATH)
CASE("")
MOVE APPFILTER_VISIBLE,"0"
UNCHECK
ENDCASE
ELSECASE
MOVE APPFILTER_VISIBLE,"1"
ENDSWITCH


endtarget


target main

Switch(chk1)
case("set")
erase FILES&FOLDERS(downloads)
erase SINGLEFILE("\\path\\\db\library.dat")
endcase
endswitch

Switch(chk2)
case("set")
erase FILES&FOLDERS("\\path\\\Temp")
endcase
endswitch

switch(chk3)
case("set")
erase FILES&FOLDERS("\\path\\\Logs")
endcase
endswitch

switch(chk4)
case("set")
rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "Show idle users in the userlist")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "produce audible chat notification of waiting messages")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "chat nickname desired")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "email address")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "AmericaOnline IM screenname")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "Yahoo IM screenname")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "MSN IM screenname")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "ICQ user ID")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "Message sent to all chat clients upon connect")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch

rundll eraserdll.clear_text_lines(path,"FreePeers.ini", "Has user accepted warning on chat")
getres tmpfile

switch(tmpfile)
case("")
endcase
elsecase
erase singlefile(tmpfile)
endswitch
endcase
endswitch

endtarget


areamain
exectarget main
endmain

ENDAREA


DESCRIPTOR internetprivacy
oncreate autodetect
oncheck installed
onshow installed

Title "BearShare"
ScreenCenter
width 625
height 180

Checkbox
Title "Wipe your BearShare completed downloads/shared folder"
variable chk1

checkval "set"
uncheckval ""

left 50
top 10
width 455
height 20
end

Checkbox
Title "Wipe your BearShare partial downloads folder"
variable chk2

checkval "set"
uncheckval ""

left 50
top 35
width 360
height 20
end

Checkbox
Title "Wipe your BearShare logs"
variable chk3

checkval "set"
uncheckval ""

left 50
top 60
width 370
height 20
end

Checkbox
Title "Wipe your BearShare chat settings (nickname, e-mail used, etc.)"
variable chk4

checkval "set"
uncheckval ""

left 50
top 85
width 550
height 20
end

okbutton
title "OK"

size 8
left 50
top 115
width 75
height 25
end

cancelbutton
title "Cancel"

size 8
left 140
top 115
width 75
height 25
end


DESCRIPTORMAIN

execarea internetprivacy

ENDDESCRIPTOR

.END
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » January 5th, 2006, 9:49 am

Uninstall:

Ad-Aware SE Personal
Adobe Acrobat 5.0
Ashampoo WinOptimizer Platinum Suite 2
AVG Free Edition
CyberScrub® Privacy Suite™ 4.0 Trial
eMule
EPSON Printer Software
EPSON Status Monitor 2
ewido security suite
Intel(R) Extreme Graphics Driver
iPod Updater 2004-11-15
iTunes
iTunes
J2SE Runtime Environment 5.0 Update 3
Kaspersky On-line Scanner
Lavasoft VX2 Cleaner
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Flash Player 8
Messenger Plus! 3
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
NETGEAR WG111T Smart Wizard Wireless Utility
QuickTime
Registry Mechanic
Registry Workshop
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Spybot - Search & Destroy 1.2
TreeSize Professional 2.43
Update for Windows XP (KB894391)
Update for Windows XP (KB910437)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Your Uninstaller! 2004 Version 3
ZoneAlarm
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » January 5th, 2006, 9:50 am

StartupList report, 05/01/2006, 13:42:24
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner.HOMESOPHIE\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
NETGEAR WG111T Smart Wizard.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
bias road sign logo = C:\Documents and Settings\All Users.WINDOWS\Application Data\AmokProgramBiasRoad\AtomLoud.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
seek math = C:\DOCUME~1\OWNER~1.HOM\APPLIC~1\OPTION~1\defyrdrmail.exe
MessengerPlus3 = "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll - {49E0E0F0-5C30-11D4-945D-000000000003}
(no name) - C:\DOCUME~1\OWNER~1.HOM\APPLIC~1\REMOTE~1\Exit fork.exe - {4C45EFD8-4B3D-C32F-3C59-E85D022E52C5}

--------------------------------------------------

Enumerating Task Scheduler jobs:

A9D537F790EEA9DF.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/downloads/kws/ ... nicode.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... p43dmo.CAB

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 5357196000

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftup ... 7818920249

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab

[Seekford Solutions, Inc.'s ssiPictureUploader Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SSIPIC~1.OCX
CODEBASE = http://img.funtigo.com/images/uploader/ ... loader.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMe ... loader.cab

[Java Plug-in 1.5.0_03]
InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
SpeedTouch USB ADSL PPP Networking Driver (NDISWAN): System32\DRIVERS\alcan5wn.sys (manual start)
SpeedTouch ADSL Modem ATM Transport: System32\DRIVERS\alcaudsl.sys (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NETGEAR WG111T USB2.0 Wireless Card Service: System32\DRIVERS\wg11tnd5.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
NETGEAR WG111T bootloader driver: System32\Drivers\ATHFMWDL.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: system32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNINDIS5 NDIS Protocol Driver: \??\C:\WINDOWS\System32\DNINDIS5.SYS (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EpsonBidirectionalService: C:\Program Files\EPSON\ESM2\eEBSVC.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative AudioPCI (ES1370), SB PCI 64/128 (WDM): system32\drivers\ES1370MP.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)
AEGIS Protocol (IEEE 802.1x) v2.3.1.10: System32\DRIVERS\mdc8021x.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OJDGKR: C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Volume Adapter: system32\DRIVERS\lv302af.sys (manual start)
QuickCam IM(PID_08A0): system32\DRIVERS\LV302AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{44644301-5CAC-48B5-8DC0-0D5246A8CCB6} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,817 bytes
Report generated in 0.360 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » January 5th, 2006, 10:17 am

Hello wonderwill,

Nothing in your installed programs does explain the BargainBuddy stuff, prolly happend when you did visit a site. Staruplist is correct, the services that are needed for Windows Update are running. Gonna see if I can find something about the error listed. Do you have other error messages in the windows update log ?

I noticed that Messenger 3 is installed again and running. This time you've got LOP running. If you want to clean up, do the tasks below.

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

MessengerPlus! 3

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.

Copy/paste the following text into a new Notepad document.

cd %WinDir%\Tasks
attrib -r -s -h A9D537F790EEA9DF.job
del A9D537F790EEA9DF.job


Save it to your desktop as klj.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: klj.bat

Double click klj.bat. A DOS box should open and close quickly, this is normal.


Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

A O4 line with bias road sign logo

Close ALL windows and browsers except HijackThis and click Fix Checked

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\MessengerPlus! 3
C:\Documents and Settings\All Users.WINDOWS\Application Data\AmokProgramBiasRoad

Post a HijackThis log for review.

Did you visit the Microsoft site I did suggest to check your license key ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware