Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hjt log, pop up problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hjt log, pop up problem

Unread postby aasha86 » December 26th, 2005, 1:31 pm

Hi,
I have lots of popups and ive tried fixing this problem before but for some reason it doesnt work.
I have adaware and spyblaster.
Please let me know if you can help!
thanks!

here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:51 AM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BearShare\BearShare.exe
C:\windows\system32\rmdsregs.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\rwinomaw.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.uchicago.edu/
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [{96-69-92-20-ZN}] C:\windows\system32\rmdsregs.exe FI003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\rwinomaw.exe FI003
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinomaw.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm
Advertisement
Register to Remove

Unread postby Kimberly » December 26th, 2005, 3:55 pm

Hello aasha86 and welcome,

Bearshare is running at boot, stop it for now please.
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

I you don't have the paid version, I even recommend you uninstall the program since it's bundled - Use Add / Remove programs
http://www.spywareinfo.com/articles/p2p/
______________________________

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close the program.
______________________________

If Spybot - S&D 1.4 is already installed on your system, skip to Update Spybot - S&D before using it. Otherwise download Spybot - S&D from the following link:
Spybot - Search and Destroy

When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, pressing the Next button until you get to the Select Additional Tasks screen.

Under Permanent protection, make sure to uncheck the following items for now:
  • Use Internet Explorer Protection
  • Use system settings Protection (TeaTimer)
Press the Next button and then the Install button to start the installation process. When the installation process is complete, make sure that Run Teatimer is unchecked.

Launch Spybot - S&D

If you told Spybot to launch when it was done installing, the program should now be open. Otherwise find the icon on your desktop and double-click on it. When you use Spybot - S&D for the first time, it will prompt you for certain tasks to complete. Skip all tasks for now by pressing the Next button. Click on the button labeled Start using this program to begin using Spybot - Search & Destroy.

Update Spybot - S&D before using it

Click on the Search for Updates button. If there are available updates, they will be listed. Click on the Download Updates button and Spybot - S&D will download the updates and install them.
______________________________

Start Ewido, you will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.
______________________________

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

Zeno Search or Zeno Browser Enhancer

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Download Brute Force Uninstaller
http://www.merijn.org/files/bfu.zip

Create a folder for BFU on the C: drive called C:\BFU. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it BFU. Extract the files from the zip archive into that folder.
Run the program and click the Web button as shown by the blue arrow below:
Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

Execute the script by clicking the Execute button. Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program. Reboot the computer.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

R3 - Default URLSearchHook is missing
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [{96-69-92-20-ZN}] C:\windows\system32\rmdsregs.exe FI003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\rwinomaw.exe FI003
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinomaw.exe

Close ALL windows and browsers except HijackThis and click Fix Checked
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\DNS

Using Windows Explorer, Search and Delete these Files if listed:

C:\windows\system32\rmdsregs.exe
C:\WINDOWS\System32\rwinomaw.exe

Use the Start > Search function to find the following Files and Delete them if listed. Make sure that Local Disk (C) is listed in the dropdrown box - if not, click the arrow and select it.
Click All files and folders, and then click More advanced options.
  • Click to select the Search system folders and Search hidden files and folders check boxes.
  • Make sure that the Subfolders are checked too.
Type the name of the file in the search box and click the Search button

scvhost.exe <--- don't confond with the legimate file C:\WINDOWS\System32\svchost.exe

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and reboot in Normal Mode
______________________________

Run Ad-Aware and Click on the Scan Now Button
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.

Reboot to complete the removal of what Ad-Aware SE found.
______________________________

Run Spybot - S&D

Click the button Check for Problems
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows.
______________________________

Please post the Ewido log and a new HijackThis log.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

new HJT log

Unread postby aasha86 » December 26th, 2005, 6:43 pm

Hey,
I did get zeno popups but it wasnt a program in the add/remove section.
I followed the steps and here is the new hjt log.
thanks!

Logfile of HijackThis v1.99.1
Scan saved at 4:41:05 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\windows\system32\rmdsregs.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Network\network.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rwinomaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.uchicago.edu/
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [{96-69-92-20-ZN}] C:\windows\system32\rmdsregs.exe FI003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\rwinomaw.exe FI003
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinomaw.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby Kimberly » December 27th, 2005, 10:43 am

Hi,

I did get zeno popups but it wasnt a program in the add/remove section.
I followed the steps and here is the new hjt log.

Since Zeno was not present in Add/Remove, I hope you did perform the rest of the instructions because your HijackThis log still shows the same entries and you didn't post the Ewido log as requested.

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

R3 - Default URLSearchHook is missing
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [{96-69-92-20-ZN}] C:\windows\system32\rmdsregs.exe FI003
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\rwinomaw.exe FI003
O4 - HKLM\..\RunServices: [ms-update] scvhost.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinomaw.exe

Close ALL windows and browsers except HijackThis and click Fix Checked

Please post:

1. Ewido log
2. new HijackThis log

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby aasha86 » December 27th, 2005, 3:34 pm

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:29:46 PM, 12/27/2005
+ Report-Checksum: DA963C28

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE -> Adware.AFAEnhance : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historystring -> Spyware.ISTBar : Error during cleaning
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-eu.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoegcjcbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wflockcjseo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-cricinfo.hitbox[3].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-nestleusainc.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@partygaming.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valuead[1].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@vegasred[2].txt -> Spyware.Cookie.Vegasred : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@weborama[2].txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.vegasred[1].txt -> Spyware.Cookie.Vegasred : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\180SAInstallerAdPerform.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\180SAInstallerAdPerform.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\i1E.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9R7KNALC\inst_FI003[1].exe -> Spyware.ZenoSearch : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Common Files\umuz\umuzd\umuzc.dll -> Downloader.Small : Cleaned with backup
C:\Program Files\Common Files\Windows\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\95F2C5D3-638C-46D9-8CF6-3A8DEA\B356724A-1531-4DF1-8B59-261E49 -> Spyware.Wintol : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\B11D03C5-81D8-43F9-A357-B6E433\0B45589D-6C13-463C-8857-41A21B -> Spyware.WebSearch : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\B11D03C5-81D8-43F9-A357-B6E433\5DED30C8-373D-46D5-8C43-B128BA -> Spyware.WebSearch : Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N57M2112NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N57M2112NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N57M2811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\system\QBUninstaller.exe -> Downloader.Small.aly : Cleaned with backup
C:\WINDOWS\system32\rmdsregs.exe -> Spyware.ZenoSearch : Cleaned with backup


::Report End


hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:34 PM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.uchicago.edu/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby aasha86 » December 27th, 2005, 10:42 pm

i also found this C:\WINDOWS\System32\rwinomaw.exe
but it wouldnt let me delete it :(
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby Kimberly » December 28th, 2005, 9:14 am

Hello aasha86,

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

HKEY_LOCAL_MACHINE\SOFTWARE\YourSiteBar


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\Common Files\umuz
C:\Program Files\Common Files\Windows
______________________________

Download Killbox by Option^Explicit to your Desktop or to your usual Download Folder.
http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop or a convenient folder.

Double-click Killbox.exe to run it.
Next, you will be entering items into Pocket KillBox. Please select the “Delete on Rebootâ€
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby aasha86 » December 28th, 2005, 5:20 pm

Logfile of HijackThis v1.99.1
Scan saved at 3:13:32 PM, on 12/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Network\network.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.uchicago.edu/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Instant Messanger] aim.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://echat.us.dell.com/Media/VisitorC ... EFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

win:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gngsmsnx
{551943cb-4c58-4e6d-880f-878698c53200} = C:\WINDOWS\System32\ckcso.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SnagItMainShellExt
{CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SnagItMainShellExt
{CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}
IEWebCatcher Class = C:\Program Files\DNS\Catcher.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
MimBoot C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Network C:\Program Files\Network\network.exe
BrowserUpdateSched C:\WINDOWS\system32\rwinomaw.exe FI003

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
AOL Instant Messanger aim.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\6clro2if
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 6clro2if
hkey HKLM
command C:\WINDOWS\System32\6clro2if.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 6clro2if
hkey HKLM
command C:\WINDOWS\System32\6clro2if.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Instant Messanger
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command aim.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command aim.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\App32dll
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnavc32
hkey HKLM
command C:\windows\system32\msnavc32.exe lee0105
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnavc32
hkey HKLM
command C:\windows\system32\msnavc32.exe lee0105
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CasStub
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item casstub
hkey HKCU
command C:\Program Files\CasStub\casstub.exe -run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item casstub
hkey HKCU
command C:\Program Files\CasStub\casstub.exe -run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cfgmgr52
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cfgmgr52
hkey HKLM
command RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cfgmgr52
hkey HKLM
command RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dinst
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dinst
hkey HKLM
command C:\WINDOWS\dinst.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dinst
hkey HKLM
command C:\WINDOWS\dinst.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eltupt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eltupt
hkey HKLM
command C:\WINDOWS\eltupt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eltupt
hkey HKLM
command C:\WINDOWS\eltupt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gcasServ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb04
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb04
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPInSightLAN 01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPClient
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPClient
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPInSightMonitor 01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPMon32
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPMon32
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KavSvc
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kjklhl
hkey HKLM
command C:\WINDOWS\System32\kjklhl.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kjklhl
hkey HKLM
command C:\WINDOWS\System32\kjklhl.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lanbrup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lanbrup
hkey HKLM
command C:\WINDOWS\System32\lanbrup.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lanbrup
hkey HKLM
command C:\WINDOWS\System32\lanbrup.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lchyjb
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ytgwiv
hkey HKLM
command c:\windows\system32\ytgwiv.exe r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ytgwiv
hkey HKLM
command c:\windows\system32\ytgwiv.exe r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Gateway
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\Media Gateway\MediaGateway.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\Media Gateway\MediaGateway.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Motive SmartBridge
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MotiveSB
hkey HKLM
command C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MotiveSB
hkey HKLM
command C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPFExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPSExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msxct
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msxct
hkey HKLM
command msxct.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msxct
hkey HKLM
command msxct.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Nsv
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nsvsvc
hkey HKLM
command C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nsvsvc
hkey HKLM
command C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSof1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSof1
hkey HKLM
command C:\WINDOWS\System32\PSof1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSof1
hkey HKLM
command C:\WINDOWS\System32\PSof1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\richup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item richup
hkey HKLM
command C:\WINDOWS\System32\richup.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item richup
hkey HKLM
command C:\WINDOWS\System32\richup.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\secure
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Xagphg
hkey HKLM
command C:\WINDOWS\System32\Xagphg.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Xagphg
hkey HKLM
command C:\WINDOWS\System32\Xagphg.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sysnet
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sysnet
hkey HKLM
command C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sysnet
hkey HKLM
command C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System service62
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pokapoka62
hkey HKLM
command C:\WINDOWS\etb\pokapoka62.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pokapoka62
hkey HKLM
command C:\WINDOWS\etb\pokapoka62.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SystemCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SysCheckBop32
hkey HKLM
command C:\WINDOWS\SysCheckBop32
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SysCheckBop32
hkey HKLM
command C:\WINDOWS\SysCheckBop32
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SystemClockManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command C:\WINDOWS\\\\\\\\\\\\\\\\\\\
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command C:\WINDOWS\\\\\\\\\\\\\\\\\\\
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Tsl2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tsl2
hkey HKLM
command C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tsl2
hkey HKLM
command C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vidctrl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vidctrl
hkey HKLM
command C:\WINDOWS\System32\vidctrl\vidctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vidctrl
hkey HKLM
command C:\WINDOWS\System32\vidctrl\vidctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VSOCheckTask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/28/2005 11:34:50 AM

I cant find the Kasper log but i know i saved it.
and the file did delete but i still got a zeno popup
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby aasha86 » December 28th, 2005, 8:35 pm

here is the kaspersky log!
-------------------------------------------------------------------------------


KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 18:32:19
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/12/2005
Kaspersky Anti-Virus database records: 168084
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55854
Number of viruses found: 47
Number of infected objects: 302
Number of suspicious objects: 6
Duration of the scan process: 2510 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryCleaner.zip/soproc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RegistryCleaner.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.w
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QL8HGRO3\package_adp_SIAC[1].exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\a.exe/mc-58-12-0000140.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.f
C:\Documents and Settings\Owner\a.exe/al.exe Infected: Trojan-Dropper.Win32.VB.is
C:\Documents and Settings\Owner\a.exe Infected: Trojan-Dropper.Win32.VB.is
C:\Documents and Settings\Owner\Local Settings\Temp\1245668_3040_1628_2136_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\1704154_1032_976_2056_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\1770494_3040_1628_3788_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\18809104_2324_1104_844_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\328192_1032_976_2476_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\328220_4836_588_3364_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\3604786_5304_852_3300_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\393848_4836_588_3708_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\4718920_3040_1628_2976_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\524568_1348_1840_2764_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\6292100_2324_1104_500_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\655850_4836_588_5416_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\787334_3040_1628_2524_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\917624_4836_588_4164_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\918030_4836_588_4124_63.41.tmp1 Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\Owner\Local Settings\Temp\fcfr.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\fincda.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\GLFD3GLFD3.EXE/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p
C:\Documents and Settings\Owner\Local Settings\Temp\GLFD3GLFD3.EXE Infected: Trojan-Downloader.Win32.TSUpdate.p
C:\Documents and Settings\Owner\Local Settings\Temp\installer4_thin.exe/data0002/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\Documents and Settings\Owner\Local Settings\Temp\installer4_thin.exe/data0002 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\Documents and Settings\Owner\Local Settings\Temp\installer4_thin.exe/data0009 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Documents and Settings\Owner\Local Settings\Temp\installer4_thin.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Documents and Settings\Owner\Local Settings\Temp\mmsccp32.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\Local Settings\Temp\RegcleanBundle.EXE/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae
C:\Documents and Settings\Owner\Local Settings\Temp\RegcleanBundle.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae
C:\Documents and Settings\Owner\Local Settings\Temp\thin_installer.exe/data0002 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Documents and Settings\Owner\Local Settings\Temp\thin_installer.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Documents and Settings\Owner\Local Settings\Temp\thin_installer2.exe/data0002 Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Documents and Settings\Owner\Local Settings\Temp\thin_installer2.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.a
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Documents and Settings\Owner\Local Settings\Temp\wkstdown.exe Infected: Trojan.Win32.Crypt.t
C:\Documents and Settings\Owner\My Documents\backups\backup-20050902-120545-790 Infected: Exploit.HTML.Mht
C:\Documents and Settings\Owner\My Documents\backups\backup-20050902-120545-970 Suspicious: Exploit.HTML.Mht
C:\Program Files\BearShare\Installer\BSInstall5.1.0.26.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\BearShare\Installer\BSInstall5.1.0.26.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\Common Files\InetGet\mc-58-12-0000140.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Program Files\Common Files\InetGet2\mc-58-12-0000140.exe Infected: Trojan-Downloader.Win32.Small.bqq
C:\Program Files\Common Files\mc-58-12-0000140.exe Infected: Trojan-Downloader.Win32.Small.bqq
C:\Program Files\Common Files\services.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\Program Files\Microsoft AntiSpyware\Quarantine\B11D03C5-81D8-43F9-A357-B6E433\0B45589D-6C13-463C-8857-41A21B Infected: not-a-virus:AdWare.Win32.WebSearch.an
C:\Program Files\Microsoft AntiSpyware\Quarantine\B11D03C5-81D8-43F9-A357-B6E433\5DED30C8-373D-46D5-8C43-B128BA Infected: not-a-virus:AdWare.Win32.WebSearch.an
C:\RECYCLER\S-1-5-21-1715567821-1770027372-839522115-1006\Dc28\mc-58-12-0000140.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\RECYCLER\S-1-5-21-1715567821-1770027372-839522115-1006\Dc28\services32.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\sjkqjq.exe Infected: Backdoor.Win32.Wisdoor.au
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196229.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196230.dll/Catcher.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.s
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196230.dll/gui.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196230.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196240.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196241.exe Infected: not-a-virus:AdWare.Win32.180Solutions.g
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196242.exe Infected: not-a-virus:AdWare.Win32.180Solutions
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196244.dll Infected: not-a-virus:AdWare.Win32.Suggestor.f
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196245.exe Infected: not-a-virus:AdWare.Win32.180Solutions.g
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196246.dll Infected: Trojan-Downloader.Win32.IstBar.ms
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP334\A0196269.dll Infected: not-a-virus:AdWare.Win32.180Solutions.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP335\A0196284.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP336\A0196294.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP337\A0196314.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP338\A0196325.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP338\A0196330.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP341\A0196355.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP342\A0197496.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP342\A0197497.dll/Catcher.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.s
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP342\A0197497.dll/gui.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP342\A0197497.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP343\A0198364.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP343\A0198385.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP344\A0198388.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP344\A0198389.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP344\A0198391.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP344\A0198392.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP344\A0198393.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP344\A0198394.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP345\A0198420.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP345\A0198424.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP345\A0198429.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP347\A0198443.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP349\A0199452.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP349\A0199453.dll/Catcher.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.s
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP349\A0199453.dll/gui.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP349\A0199453.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP350\A0199459.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199476.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199477.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199478.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199480.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199481.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199482.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199483.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP352\A0199484.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP353\A0199523.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP355\A0200438.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP355\A0200442.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP356\A0200564.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP359\A0200614.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP359\A0200615.dll/Catcher.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.s
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP359\A0200615.dll/gui.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP359\A0200615.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.a
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP359\A0201597.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP363\A0201686.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP363\A0201692.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP365\A0202692.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP367\A0202717.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP367\A0202727.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP367\A0202728.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP367\A0202729.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP369\A0203689.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP369\A0203696.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP369\A0204702.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP369\A0205697.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP371\A0206692.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP377\A0207720.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP379\A0208692.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209751.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209755.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209763.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209764.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209765.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209861.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209861.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209861.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209861.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209861.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP382\A0209861.exe Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210024.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210025.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210026.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210027.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210044.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210054.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ad
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP383\A0210058.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP385\A0210081.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP385\A0210084.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.s
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP386\A0210106.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP387\A0210132.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP388\A0211139.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212144.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212148.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212149.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212150.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212151.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212152.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP389\A0212153.sys Suspicious: Rootkit.Win32.Agent.ao
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP390\A0212180.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP390\A0212186.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP390\A0212187.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP390\A0212188.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP390\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP391\A0212205.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP391\A0212206.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP391\A0212207.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP391\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213136.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213137.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213141.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213157.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213163.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213164.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\A0213165.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP392\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP393\A0213187.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP393\A0213188.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP393\A0213189.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP393\A0213206.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP393\A0213209.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213219.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213221.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213222.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213223.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213224.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213225.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213228.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213229.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213230.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213230.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213230.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213242.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ae
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213253.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP394\A0213257.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP395\A0213262.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP395\A0213263.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP395\A0213274.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP395\A0213277.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP396\A0213299.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP396\A0213300.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP396\A0213309.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP396\A0213311.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP397\A0213321.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP397\A0213322.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP397\A0213328.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP397\A0213336.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP397\A0213351.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP397\A0213352.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP398\A0213364.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP398\A0213365.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP399\A0213374.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP399\A0213375.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP399\A0213378.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP400\A0213385.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP400\A0213387.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP400\A0213388.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP401\A0213390.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP401\A0213400.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP401\A0213401.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213403.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213407.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213409.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213451.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213452.srg Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213453.vxd Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213454.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213457.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213458.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213459.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213459.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213459.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213488.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213489.dll Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP402\A0213490.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP403\A0213519.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP404\A0216486.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP405\A0217484.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP405\A0217498.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP407\A0218503.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP408\A0219506.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP408\A0220498.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP410\A0221501.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP410\A0221502.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP410\A0221503.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP410\A0221511.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP412\A0222525.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP413\A0224522.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP414\A0225516.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP415\A0225551.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP416\A0226539.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP417\A0226553.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP417\A0226554.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP417\A0226555.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP417\A0226556.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP417\A0226557.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP417\A0227531.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP418\A0227597.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP418\A0227640.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP418\A0227641.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ae
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP418\A0227644.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch.ae
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP418\A0227646.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP418\A0227649.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP419\A0227670.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP419\A0227672.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP419\A0227674.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.d
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP419\A0227687.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP420\A0227697.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\System Volume Information\_restore{EFCE6CF9-7C45-4923-9E49-39317F889793}\RP420\A0227721.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.j
C:\WINDOWS\system32\97_Ventura4_4_0_3_7.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p
C:\WINDOWS\system32\97_Ventura4_4_0_3_7.exe Infected: Trojan-Downloader.Win32.TSUpdate.p
C:\WINDOWS\system32\bsva-egihsg52.exe/data0003 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\WINDOWS\system32\bsva-egihsg52.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\WINDOWS\system32\btnetw3_venturahot_246765.exe/data0003 Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\WINDOWS\system32\btnetw3_venturahot_246765.exe Infected: not-a-virus:AdWare.Win32.HotSearchBar.i
C:\WINDOWS\system32\Cache\ssee.exe/data0011 Infected: Trojan.Win32.VB.tx
C:\WINDOWS\system32\Cache\ssee.exe/data0012 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Cache\ssee.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\dmohgina.exe Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\system32\ep02bmec.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\InstallerV4.exe/data0001 Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\WINDOWS\system32\InstallerV4.exe Infected: not-a-virus:AdWare.Win32.SafeSurfing.o
C:\WINDOWS\system32\lanbruns.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i
C:\WINDOWS\system32\lanbruns.exe Infected: Trojan-Downloader.NSIS.Agent.i
C:\WINDOWS\system32\odbshrui.exe Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\system32\richedtr.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.m
C:\WINDOWS\system32\rktpd728.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINDOWS\unist2.exe Infected: not-a-virus:AdWare.Win32.ShopNav.l

Scan process completed.
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby Kimberly » December 28th, 2005, 11:46 pm

Lots of things to cleanup, :shock: you have Qoologic running or leftovers from it. I need a few things before cleanup. You also have a rootkit installed, let's remove that first while I'm looking up your logs.
______________________________

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. You MUST run this tool in Safe Mode or it won't detect anything.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
Please post the entire contents of the log.txt file in the aproposfix folder.
______________________________

Open the C:\WinPFind folder and double-click on WinPFind.exe.
Leave the scan options and click on the Start Scan button and wait for it to finish.

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log file named C:\WinPFind\WinPFind.txt. Please copy that log into your next reply.
______________________________

Download Bobbi Flekman's RegSearch from
http://www.bleepingcomputer.com/files/regsearch.php

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

FFF4E223-7019-4ce7-BE03-D7D3C8CCE884

One the next line type : Catcher.dll

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.
______________________________

Please post :

1. Apropos fix log
2. Winpfind log
3. Results from regsearch

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby aasha86 » December 29th, 2005, 2:42 pm

Hey,
HEre are the 3 logs. it took a long time because the computer kept freezing during the processes. But hopefully these are right!
THanks!

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\bobbie\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 7/22/2005 9:45:44 AM 14848 C:\sjkqjq.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com 7/12/2005 1:11:14 PM 11216 C:\WINDOWS\aoarm.dll
web-nex 7/12/2005 1:11:14 PM 11216 C:\WINDOWS\aoarm.dll
ad-w-a-r-e.com 7/12/2005 1:11:14 PM 11216 C:\WINDOWS\aoarm.dll
UPX! 9/25/2003 3:20:04 AM 43391 C:\WINDOWS\browser.exe
UPX! 12/19/2004 12:12:36 AM 597204 C:\WINDOWS\del.tmp

Checking %System% folder...
SAHAgent 9/2/2005 12:00:54 PM 3641 C:\WINDOWS\SYSTEM32\5bme7b96.ini
SAHAgent 7/31/2005 9:36:34 AM 3654 C:\WINDOWS\SYSTEM32\6clro2if.ini
PEC2 9/3/2002 10:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 9/28/2005 3:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 3:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
SAHAgent 6/22/2005 7:03:46 PM 35 C:\WINDOWS\SYSTEM32\ep02bmec.ini
SAHAgent 6/22/2005 7:03:46 PM 35 C:\WINDOWS\SYSTEM32\ptcpjg7a.ini
Umonitor 9/3/2002 10:54:44 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 8/1/2005 1:45:06 PM 35 C:\WINDOWS\SYSTEM32\rktpd728.ini
SAHAgent 8/1/2005 1:45:06 PM 35 C:\WINDOWS\SYSTEM32\seic20j8.ini
winsync 9/3/2002 11:10:48 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/6/2005 8:14:56 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 12/6/2005 8:14:56 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 12/6/2005 8:14:56 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 12/6/2005 8:14:56 AM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/29/2005 12:18:16 PM S 2048 C:\WINDOWS\bootstat.dat
12/29/2005 12:13:32 PM H 24 C:\WINDOWS\pyJ3k
12/29/2005 12:18:10 PM H 8192 C:\WINDOWS\system32\config\default.LOG
12/29/2005 12:18:30 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/29/2005 12:18:18 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
12/29/2005 12:19:22 PM H 69632 C:\WINDOWS\system32\config\software.LOG
12/29/2005 12:18:16 PM H 724992 C:\WINDOWS\system32\config\system.LOG
12/13/2005 8:18:50 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e0a5a3c8-33e9-403a-bed6-1b1eec4a1739
12/13/2005 8:18:50 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/29/2005 12:13:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 9/3/2002 10:26:48 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 10:27:24 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 9/3/2002 10:30:36 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 9/3/2002 10:34:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 9/3/2002 10:35:14 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 10:35:24 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 9/3/2002 10:37:12 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 10:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 9/3/2002 10:42:08 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 10:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 10:50:26 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 9/3/2002 10:50:44 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 10:52:44 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 8:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 9/3/2002 11:05:50 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 11:06:38 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 11:06:48 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 4:03:24 PM 167704 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 10:26:48 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 10:27:24 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 10:30:36 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 10:34:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 10:35:14 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 10:35:24 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 9/3/2002 10:37:12 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 10:40:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 10:42:08 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 10:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 10:50:26 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 10:50:44 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 10:52:44 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 10:57:12 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 11:05:50 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 11:06:38 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 11:06:48 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation 4/7/2003 2:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0010\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/10/2004 6:43:44 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/11/2004 2:06:12 PM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
12/15/2004 2:13:06 PM 1753 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/10/2004 10:35:42 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/11/2004 2:06:42 PM 344 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
12/10/2004 6:43:44 PM HS 84 C:\Documents and Settings\bobbie\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
12/10/2004 10:35:42 AM HS 62 C:\Documents and Settings\bobbie\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gngsmsnx
{551943cb-4c58-4e6d-880f-878698c53200} = C:\WINDOWS\System32\ckcso.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SnagItMainShellExt
{CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SnagItMainShellExt
{CF74B903-3389-469c-B3B6-0204D204FCBD} = C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}
IEWebCatcher Class = C:\Program Files\DNS\Catcher.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
MimBoot C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Network C:\Program Files\Network\network.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
AOL Instant Messanger aim.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\6clro2if
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 6clro2if
hkey HKLM
command C:\WINDOWS\System32\6clro2if.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 6clro2if
hkey HKLM
command C:\WINDOWS\System32\6clro2if.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Instant Messanger
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command aim.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command aim.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\App32dll
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnavc32
hkey HKLM
command C:\windows\system32\msnavc32.exe lee0105
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnavc32
hkey HKLM
command C:\windows\system32\msnavc32.exe lee0105
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgcc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_EMC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item avgemc
hkey HKLM
command C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CasStub
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item casstub
hkey HKCU
command C:\Program Files\CasStub\casstub.exe -run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item casstub
hkey HKCU
command C:\Program Files\CasStub\casstub.exe -run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cfgmgr52
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cfgmgr52
hkey HKLM
command RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cfgmgr52
hkey HKLM
command RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dinst
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dinst
hkey HKLM
command C:\WINDOWS\dinst.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dinst
hkey HKLM
command C:\WINDOWS\dinst.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eltupt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eltupt
hkey HKLM
command C:\WINDOWS\eltupt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item eltupt
hkey HKLM
command C:\WINDOWS\eltupt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gcasServ
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item gcasServ
hkey HKLM
command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HotKeysCmds
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hkcmd
hkey HKLM
command C:\WINDOWS\System32\hkcmd.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Component Manager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpcmpmgr
hkey HKLM
command "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb04
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb04
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IgfxTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item igfxtray
hkey HKLM
command C:\WINDOWS\System32\igfxtray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Optimizer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item optimize
hkey HKLM
command "C:\Program Files\Internet Optimizer\optimize.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPInSightLAN 01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPClient
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPClient
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IPInSightMonitor 01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPMon32
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item IPMon32
hkey HKLM
command "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KavSvc
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kjklhl
hkey HKLM
command C:\WINDOWS\System32\kjklhl.exe reg_run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item kjklhl
hkey HKLM
command C:\WINDOWS\System32\kjklhl.exe reg_run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lanbrup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lanbrup
hkey HKLM
command C:\WINDOWS\System32\lanbrup.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item lanbrup
hkey HKLM
command C:\WINDOWS\System32\lanbrup.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lchyjb
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ytgwiv
hkey HKLM
command c:\windows\system32\ytgwiv.exe r
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ytgwiv
hkey HKLM
command c:\windows\system32\ytgwiv.exe r
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcagent
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item McUpdate
hkey HKLM
command c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Gateway
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\Media Gateway\MediaGateway.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MediaGateway
hkey HKLM
command C:\Program Files\Media Gateway\MediaGateway.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Motive SmartBridge
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MotiveSB
hkey HKLM
command C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MotiveSB
hkey HKLM
command C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPFExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item MpfTray
hkey HKLM
command C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MPSExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mscifapp
hkey HKLM
command C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msxct
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msxct
hkey HKLM
command msxct.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msxct
hkey HKLM
command msxct.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Nsv
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nsvsvc
hkey HKLM
command C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item nsvsvc
hkey HKLM
command C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSof1
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSof1
hkey HKLM
command C:\WINDOWS\System32\PSof1.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PSof1
hkey HKLM
command C:\WINDOWS\System32\PSof1.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\richup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item richup
hkey HKLM
command C:\WINDOWS\System32\richup.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item richup
hkey HKLM
command C:\WINDOWS\System32\richup.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\secure
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Xagphg
hkey HKLM
command C:\WINDOWS\System32\Xagphg.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Xagphg
hkey HKLM
command C:\WINDOWS\System32\Xagphg.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sysnet
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sysnet
hkey HKLM
command C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item sysnet
hkey HKLM
command C:\DOCUME~1\Owner\LOCALS~1\Temp\sysnet.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System service62
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pokapoka62
hkey HKLM
command C:\WINDOWS\etb\pokapoka62.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pokapoka62
hkey HKLM
command C:\WINDOWS\etb\pokapoka62.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SystemCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SysCheckBop32
hkey HKLM
command C:\WINDOWS\SysCheckBop32
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SysCheckBop32
hkey HKLM
command C:\WINDOWS\SysCheckBop32
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SystemClockManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command C:\WINDOWS\\\\\\\\\\\\\\\\\\\
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command C:\WINDOWS\\\\\\\\\\\\\\\\\\\
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Tsl2
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tsl2
hkey HKLM
command C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item tsl2
hkey HKLM
command C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vidctrl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vidctrl
hkey HKLM
command C:\WINDOWS\System32\vidctrl\vidctrl.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item vidctrl
hkey HKLM
command C:\WINDOWS\System32\vidctrl\vidctrl.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VirusScan Online
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcvsshld
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VSOCheckTask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mcmnhdlr
hkey HKLM
command "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/29/2005 12:24:45 PM

REGEDIT4

; Registry Search by Bobbi Flekman
; Version: 1.0.2.1

; Results at 12/29/2005 12:32:49 PM for strings:
; 'fff4e223-7019-4ce7-be03-d7o3c8cce884'
; 'catcher.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}\InprocServer32]
@="C:\\Program Files\\DNS\\Catcher.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FFF24F28-3AE2-46CD-AEBE-2F625133A1CA}\1.0\0\win32]
@="C:\\Program Files\\DNS\\Catcher.dll"

; End Of The Log...
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby Kimberly » December 29th, 2005, 3:15 pm

While I'm looking up the logs, please do this :

Apropos fix showed nothing, could be a partial install or a new variant.

Reboot your computer in Safe Mode. MUST be safe mode, otherwise it will not be detected.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.

______________________________

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

contextplus

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe. I will need that file later on.
______________________________

Reboot in Normal Mode and post the results of the regsearch.

If the regsearch comes up emty, Please Download Rootkit Revealer
http://www.sysinternals.com/Forum/uploa ... r_1.56.zip

Create a folder for Rootkit Revealer on the C: drive called C:\Rkr. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it Rkr. Extract all the files from the zip archive into that folder.

Open the Rkr folder and double-click the icon for RootkitRevealer.exe to launch the program. Save the log into that folder (File > Save)

If you get a warning, let the driver load...it will be a random named one but if you have spyware protections running the info they give (when warned) will tell you it is from sysinternals.

Post the rkr log please. (might be huge, make sure that it is not cut off)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby aasha86 » December 29th, 2005, 7:01 pm

REGEDIT4

; Registry Search by Bobbi Flekman
; Version: 1.0.2.1

; Results at 12/29/2005 4:50:04 PM for strings:
; 'contextplus'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\CyiiFAGFaUEm\AU2]
"SU"="http://au.contextplus.net/services/AUServer"

[HKEY_USERS\S-1-5-21-1715567821-1770027372-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contextplus.com]

[HKEY_USERS\S-1-5-21-1715567821-1770027372-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contextplus.net]

; End Of The Log...
aasha86
Regular Member
 
Posts: 56
Joined: September 2nd, 2005, 3:07 pm

Unread postby Kimberly » December 29th, 2005, 7:09 pm

Perfect, it confirms the rootkit presence. Now we need the filenames and driver name to remove it. Based upon the results of the registry export, it is possible that we will need to run rootkit revealer but we'll see that after the registry export.

Copy/paste the following quote box into a new notepad (not wordpad) document.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\CyiiFAGFaUEm"

Save it to your Desktop as regkey.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name:regkey.bat
______________________________

Reboot your computer in Safe Mode. MUST be safe mode, otherwise it will not be detected.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Locate regkey.bat on your Desktop and double-click it. Reboot in Normal Mode. Locate c:\regkey.txt, copy/paste the content in your reply.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » December 29th, 2005, 9:38 pm

When finished with the instructions above, perform this small cleanup already. Stay away from p2p programs untill clean !

Download LQFix to your Desktop or to your usual Download Folder.
http://users.telenet.be/bluepatchy/miek ... /LQfix.zip
Unzip it to your Desktop. Don't use it yet.
______________________________

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text and that wordwrap is turned of.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gngsmsnx]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{551943cb-4c58-4e6d-880f-878698c53200}]

[-HKEY_CLASSES_ROOT\CLSID\{551943cb-4c58-4e6d-880f-878698c53200}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{551943cb-4c58-4e6d-880f-878698c53200}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FFF24F28-3AE2-46CD-AEBE-2F625133A1CA}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrowserUpdateSched"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\6clro2if]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\App32dll]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CasStub]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cfgmgr52]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dinst]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\eltupt]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Internet Optimizer]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KavSvc]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lanbrup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lchyjb]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Media Gateway]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msxct]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PSof1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\richup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\secure]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sysnet]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\System service62]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SystemCheck]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SystemClockManager]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Tsl2]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vidctrl]


Save it to your desktop as Fixme.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fixme.reg
______________________________

Copy/paste the following text into a new Notepad document. Make sure that wordwrap is turned of.

@echo off
if exist "C:\sjkqjq.exe" attrib -r -s -h "C:\sjkqjq.exe"
if exist ""C:\WINDOWS\aoarm.dll" attrib -r -s -h "C:\WINDOWS\aoarm.dll"
if exist ""C:\WINDOWS\browser.exe" attrib -r -s -h "C:\WINDOWS\browser.exe"
if exist "C:\WINDOWS\del.tmp" attrib -r -s -h "C:\WINDOWS\del.tmp"
if exist "C:\WINDOWS\pyJ3k" attrib -r -s -h "C:\WINDOWS\pyJ3k"
if exist "C:\WINDOWS\unist2.exe" attrib -r -s -h "C:\WINDOWS\unist2.exe"
if exist "C:\WINDOWS\cfgmgr52.dll" attrib -r -s -h "C:\WINDOWS\cfgmgr52.dll"
if exist "C:\WINDOWS\dinst.exe" attrib -r -s -h "C:\WINDOWS\dinst.exe"
if exist "C:\WINDOWS\eltupt.exe" attrib -r -s -h "C:\WINDOWS\eltupt.exe"
if exist "C:\WINDOWS\SysCheckBop32" attrib -r -s -h "C:\WINDOWS\SysCheckBop32"
if exist "C:\WINDOWS\System32\kjklhl.exe" attrib -r -s -h "C:\WINDOWS\System32\kjklhl.exe"
if exist "c:\windows\system32\ytgwiv.exe" attrib -r -s -h "c:\windows\system32\ytgwiv.exe"
if exist "C:\WINDOWS\SYSTEM32\5bme7b96.ini" attrib -r -s -h "C:\WINDOWS\SYSTEM32\5bme7b96.ini"
if exist "C:\WINDOWS\SYSTEM32\6clro2if.ini" attrib -r -s -h "C:\WINDOWS\SYSTEM32\6clro2if.ini"
if exist "C:\WINDOWS\System32\6clro2if.exe" attrib -r -s -h "C:\WINDOWS\System32\6clro2if.exe"
if exist "C:\WINDOWS\SYSTEM32\ep02bmec.ini" attrib -r -s -h "C:\WINDOWS\SYSTEM32\ep02bmec.ini"
if exist "C:\WINDOWS\SYSTEM32\ptcpjg7a.ini" attrib -r -s -h "C:\WINDOWS\SYSTEM32\ptcpjg7a.ini"
if exist "C:\WINDOWS\SYSTEM32\rktpd728.ini" attrib -r -s -h "C:\WINDOWS\SYSTEM32\rktpd728.ini"
if exist "C:\WINDOWS\SYSTEM32\seic20j8.ini" attrib -r -s -h "C:\WINDOWS\SYSTEM32\seic20j8.ini"
if exist "C:\WINDOWS\System32\ckcso.dll" attrib -r -s -h "C:\WINDOWS\System32\ckcso.dll"
if exist "C:\windows\system32\msnavc32.exe" attrib -r -s -h "C:\windows\system32\msnavc32.exe"
if exist "C:\WINDOWS\System32\lanbrup.exe" attrib -r -s -h "C:\WINDOWS\System32\lanbrup.exe"
if exist "C:\WINDOWS\system32\97_Ventura4_4_0_3_7.exe" attrib -r -s -h "C:\WINDOWS\system32\97_Ventura4_4_0_3_7.exe"
if exist "C:\WINDOWS\system32\bsva-egihsg52.exe" attrib -r -s -h "C:\WINDOWS\system32\bsva-egihsg52.exe"
if exist "C:\WINDOWS\system32\dmohgina.exe" attrib -r -s -h "C:\WINDOWS\system32\dmohgina.exe"
if exist "C:\WINDOWS\system32\GSM3-0511.exe" attrib -r -s -h "C:\WINDOWS\system32\GSM3-0511.exe"
if exist "C:\WINDOWS\system32\InstallerV4.exe" attrib -r -s -h "C:\WINDOWS\system32\InstallerV4.exe"
if exist "C:\WINDOWS\system32\lanbruns.exe" attrib -r -s -h "C:\WINDOWS\system32\lanbruns.exe"
if exist "C:\WINDOWS\system32\odbshrui.exe" attrib -r -s -h "C:\WINDOWS\system32\odbshrui.exe"
if exist "C:\WINDOWS\system32\richedtr.dll" attrib -r -s -h "C:\WINDOWS\system32\richedtr.dll"
if exist "C:\WINDOWS\System32\PSof1.exe" attrib -r -s -h "C:\WINDOWS\System32\PSof1.exe"
if exist "C:\WINDOWS\System32\richup.exe" attrib -r -s -h "C:\WINDOWS\System32\richup.exe"
if exist "C:\WINDOWS\system32\Cache\ssee.exe" attrib -r -s -h "C:\WINDOWS\system32\Cache\ssee.exe"
if exist "C:\Documents and Settings\Owner\a.exe" attrib -r -s -h "C:\Documents and Settings\Owner\a.exe"
if exist "C:\Program Files\Common Files\mc-58-12-0000140.exe" attrib -r -s -h "C:\Program Files\Common Files\mc-58-12-0000140.exe"
if exist "C:\Program Files\Common Files\services.exe" attrib -r -s -h "C:\Program Files\Common Files\services.exe"

if exist "C:\sjkqjq.exe" del /q "C:\sjkqjq.exe"
if exist ""C:\WINDOWS\aoarm.dll" del /q "C:\WINDOWS\aoarm.dll"
if exist ""C:\WINDOWS\browser.exe" del /q "C:\WINDOWS\browser.exe"
if exist "C:\WINDOWS\del.tmp" del /q "C:\WINDOWS\del.tmp"
if exist "C:\WINDOWS\pyJ3k" del /q "C:\WINDOWS\pyJ3k"
if exist "C:\WINDOWS\unist2.exe" del /q "C:\WINDOWS\unist2.exe"
if exist "C:\WINDOWS\cfgmgr52.dll" del /q "C:\WINDOWS\cfgmgr52.dll"
if exist "C:\WINDOWS\dinst.exe" del /q "C:\WINDOWS\dinst.exe"
if exist "C:\WINDOWS\eltupt.exe" del /q "C:\WINDOWS\eltupt.exe"
if exist "C:\WINDOWS\SysCheckBop32" del /q "C:\WINDOWS\SysCheckBop32"
if exist "C:\WINDOWS\System32\kjklhl.exe" del /q "C:\WINDOWS\System32\kjklhl.exe"
if exist "c:\windows\system32\ytgwiv.exe" del /q "c:\windows\system32\ytgwiv.exe"
if exist "C:\WINDOWS\SYSTEM32\5bme7b96.ini" del /q "C:\WINDOWS\SYSTEM32\5bme7b96.ini"
if exist "C:\WINDOWS\SYSTEM32\6clro2if.ini" del /q "C:\WINDOWS\SYSTEM32\6clro2if.ini"
if exist "C:\WINDOWS\System32\6clro2if.exe" del /q "C:\WINDOWS\System32\6clro2if.exe"
if exist "C:\WINDOWS\SYSTEM32\ep02bmec.ini" del /q "C:\WINDOWS\SYSTEM32\ep02bmec.ini"
if exist "C:\WINDOWS\SYSTEM32\ptcpjg7a.ini" del /q "C:\WINDOWS\SYSTEM32\ptcpjg7a.ini"
if exist "C:\WINDOWS\SYSTEM32\rktpd728.ini" del /q "C:\WINDOWS\SYSTEM32\rktpd728.ini"
if exist "C:\WINDOWS\SYSTEM32\seic20j8.ini" del /q "C:\WINDOWS\SYSTEM32\seic20j8.ini"
if exist "C:\WINDOWS\System32\ckcso.dll" del /q "C:\WINDOWS\System32\ckcso.dll"
if exist "C:\windows\system32\msnavc32.exe" del /q "C:\windows\system32\msnavc32.exe"
if exist "C:\WINDOWS\System32\lanbrup.exe" del /q "C:\WINDOWS\System32\lanbrup.exe"
if exist "C:\WINDOWS\system32\97_Ventura4_4_0_3_7.exe" del /q "C:\WINDOWS\system32\97_Ventura4_4_0_3_7.exe"
if exist "C:\WINDOWS\system32\bsva-egihsg52.exe" del /q "C:\WINDOWS\system32\bsva-egihsg52.exe"
if exist "C:\WINDOWS\system32\dmohgina.exe" del /q "C:\WINDOWS\system32\dmohgina.exe"
if exist "C:\WINDOWS\system32\GSM3-0511.exe" del /q "C:\WINDOWS\system32\GSM3-0511.exe"
if exist "C:\WINDOWS\system32\InstallerV4.exe" del /q "C:\WINDOWS\system32\InstallerV4.exe"
if exist "C:\WINDOWS\system32\lanbruns.exe" del /q "C:\WINDOWS\system32\lanbruns.exe"
if exist "C:\WINDOWS\system32\odbshrui.exe" del /q "C:\WINDOWS\system32\odbshrui.exe"
if exist "C:\WINDOWS\system32\richedtr.dll" del /q "C:\WINDOWS\system32\richedtr.dll"
if exist "C:\WINDOWS\System32\PSof1.exe" del /q "C:\WINDOWS\System32\PSof1.exe"
if exist "C:\WINDOWS\System32\richup.exe" del /q "C:\WINDOWS\System32\richup.exe"
if exist "C:\WINDOWS\system32\Cache\ssee.exe" del /q "C:\WINDOWS\system32\Cache\ssee.exe"
if exist "C:\Documents and Settings\Owner\a.exe" del /q "C:\Documents and Settings\Owner\a.exe"
if exist "C:\Program Files\Common Files\mc-58-12-0000140.exe" del /q "C:\Program Files\Common Files\mc-58-12-0000140.exe"
if exist "C:\Program Files\Common Files\services.exe" del /q "C:\Program Files\Common Files\services.exe"


Save it to your desktop as cleanme.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanme.bat
______________________________

Download Brute Force Uninstaller if not yet done.
http://www.merijn.org/files/bfu.zip

Create a folder for BFU on the C: drive called C:\BFU. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it BFU. Extract the files from the zip archive into that folder.
Run the program and click the Web button as shown by the blue arrow below:
Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/p2pnetwork.bfu

Execute the script by clicking the Execute button. Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program. Reboot the computer in Safe Mode.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
______________________________

Boot into Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
Close ALL running programs before running the tool. Double-click LQFix.bat. A DOS window should open and close, this is normal. Occasionally a DOS box may appear asking your permission to delete some files in Temporary Windows directories. You must accept the deletion of these to be sure of properly removing the malware. When the tool has finished, continue with the instructions below.

Note: If you get an error similar to:
autoexec.nt the system file is not suitable for running ms-dos etc etc , or a 16 bit app error etc etc
Go here and use the appropriate fix for your system then run the fix again in Safe Mode.
http://www.tech-forums.net/computer/topic/29806.html
More info here: http://support.microsoft.com/default.as ... -us;324767
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.

Double click cleanme.bat. A DOS box should open and close quickly, this is normal.

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\Common Files\InetGet
C:\Program Files\Common Files\InetGet2
C:\Program Files\Common Files\tsl2
C:\Program Files\DNS
C:\Program Files\CasStub
C:\Program Files\Internet Optimizer
C:\Program Files\Media Gateway
C:\WINDOWS\etb
C:\WINDOWS\System32\vidctrl
______________________________

Reboot in Normal Mode.

Copy/paste the following quote box into a new notepad (not wordpad) document.

regedit /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Save it to your Desktop as regkey.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name:regkey.bat

Locate regkey.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

When I have the requested info for the rootkit, we will remove that and see what is left over.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware