Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

here's my hijackthis.log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

here's my hijackthis.log

Unread postby joshandsara » March 21st, 2007, 7:11 pm

Logfile of HijackThis v1.99.1
Scan saved at 6:07:53 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wilhite\Desktop\abc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm082YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{385E8FA0-FCEC-4691-AEBA-E673DAC15502}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{7254E6F4-AF2E-4CB5-8351-8D50358BEBB1}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA6B4021-4E25-4233-A5AF-A8F30ABE2D77}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.202
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm
Advertisement
Register to Remove

Unread postby wng_z3r0 » March 21st, 2007, 7:13 pm

user being helped in IRC

~wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby wng_z3r0 » March 21st, 2007, 7:25 pm


  • Download WinPFind by OldTimer here
  • Double click on winpfind.exe to extract it
  • Click extract
  • Wait for the message "All files have been extracted" and then click OK
  • This will create the folder winPFind on your desktop
  • Inside that folder is a file called WinPFind.exe
  • Double click on that file to launch WinPFind
  • This will launch a configuration screen

    • Under Driver Services change the selection to Non-Microsoft
    • Under File Created Within change the selection to 60 days
    • Leave the other settings as they are
  • Click Run Scan
  • During the scan WinPFind may appear to be not responding, this is normal
  • Wait for the scan to finish, this may take several minutes
  • A notepad window will open with WinPFind's log.
  • Copy and paste the contents of that window here.
  • Note: You may need several posts to post the entire log, or it might get cut off
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby joshandsara » March 21st, 2007, 7:43 pm

WinPFind logfile created on: 3/21/2007 6:36:39 PM
WinPFind by OldTimer - v2.0.2 Folder = C:\Documents and Settings\Wilhite\Desktop\WinPFind\

»»»»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»»»»» Memory/Drive Info »»»»»»»»»»»»»»»»»»»»»»»»»»

777596 Kb Total Physical Memory | 253092 Kb Available Physical Memory | 32.55% Memory free
1901148 Kb Paging File | 1463924 Kb Available in Paging File | 77.00% Paging File free
Paging file location: C:\pagefile.sys 1140 2280

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74927156 Kb Total Space | 57253816 Kb Free Space | 76.41% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

»»»»»»»»»»»»»»»»»»»» Running Processes (Non-Microsoft) »»»»»»»»

C:\Documents and Settings\Wilhite\Desktop\abc.exe (Soeperman Enterprises Ltd.)
C:\Documents and Settings\Wilhite\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (Symantec Corporation)
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (Dell Inc.)
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe (Hewlett-Packard Co.)
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
C:\Program Files\MySpace\IM\MySpaceIM.exe ()
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (Symantec Corporation)
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (Symantec Corporation)
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation)

»»»»»»»»»»»»»»»»»»»» Win32 Services (Non-Microsoft) »»»»»»»»»»»

(ccEvtMgr) Symantec Event Manager [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)

(ccProxy) Symantec Network Proxy [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (Symantec Corporation)

(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)

(DefWatch) Symantec AntiVirus Definition Watcher [Win32_Own | Auto | Running]
= C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\system32\dmadmin.exe (Microsoft Corp., Veritas Software)

(EvtEng) EvtEng [Win32_Own | Auto | Running]
= C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)

(ISSVC) IS Service [Win32_Own | Auto | Running]
= C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe (Symantec Corporation)

(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)

(NICCONFIGSVC) NICCONFIGSVC [Win32_Own | Auto | Running]
= C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (Dell Inc.)

(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Stopped]
= C:\WINDOWS\system32\HPZipm12.exe (HP)

(RegSrvc) RegSrvc [Win32_Own | Auto | Running]
= C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)

(S24EventMonitor) Spectrum24 Event Monitor [Win32_Own | Auto | Running]
= C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )

(SavRoam) SavRoam [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe (symantec)

(SNDSrvc) Symantec Network Drivers Service [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)

(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)

(Symantec AntiVirus) Symantec AntiVirus [Win32_Own | Auto | Running]
= C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)

(SymSecurePort) Symantec SecurePort [Win32_Own | Auto | Running]
= C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe (Symantec Corporation)

(WLANKEEPER) WLANKEEPER [Win32_Own | Auto | Running]
= C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)

»»»»»»»»»»»»»»»»»»»» Registry Items (Non-Microsoft) »»»»»»»»»»»

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
= (File not found)
Apoint = C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
dla = C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
DVDLauncher = C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Co.)
igfxpers = C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
igfxtray = C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
IntelWireless = C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
ISUSPM Startup = C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
ISUSScheduler = C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
MSKDetectorExe = C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
PCMService = C:\Program Files\Dell\Media Experience\PCMService.exe (File not found)
vptray = C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MySpaceIM = C:\Program Files\MySpace\IM\MySpaceIM.exe ()
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
= C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
= C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

< User Startup Folder = C:\Documents and Settings\Wilhite\Start Menu\Programs\Startup >
C:\Documents and Settings\Wilhite\Start Menu\Programs\Startup\desktop.ini ()

>>>>> MsConfig Disabled Items <<<<<

>>>>> Disabled Startup Folder Items <<<<<

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

https [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =
PendingFileRenameOperations = \??\C:\Config.Msi\8f605.rbf;

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
{b292ec9f-a074-4115-8342-1f459702d8d2} = characterizing ( HKLM = C:\WINDOWS\system32\fyxkaah.dll () )

>>>>> Security Providers <<<<<

>>>>> Winlogon Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System]
kduqx.exe (File not found)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
Control_RunDLL (File not found)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
DllName = C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless]
DllName = C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
DllName = C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
NoCDBurning = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

>>>>> Desktop Components <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
FriendlyName = My Current Home Page
Source = About:Home
SubscribedURL = About:Home

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 734 bytes | Modified Date: 4/21/2006 11:02:54 PM)
127.0.0.1 localhost

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.insightbb.com
Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
Local Page = %SystemRoot%\system32\blank.htm
Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
Start Page = http://www.yahoo.com/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.google.com/ig/dell?hl=en
Local Page = C:\WINDOWS\system32\blank.htm
Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
Start Page = http://www.insightbb.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
- MyWebSearch Search Assistant BHO ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
- Yahoo! Toolbar Helper ( HKLM = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- Adobe PDF Reader Link Helper ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
- Reg Data - Value does not exist ( HKLM = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
- DriveLetterAccess ( HKLM = C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}]
- ( HKLM = C:\Program Files\Video Access ActiveX Object\isadd.dll (File not found) )

>>>>> Bars, Toolbars and Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - Protection Bar ( HKLM = Reg Data - Key not found (File not found) )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar ( HKLM = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\ShellBrowser]
{5CBE2611-C31B-401F-89BC-4CBB25E853D7} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar ( HKLM = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) )

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8194 - Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} = 8192 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8193 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8195

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - Java Plug-in 1.5.0_10 ( HKLM C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - Java Plug-in 1.5.0_10 ( HKCU C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}]
ButtonText = PartyPoker.com
MenuText = PartyPoker.com
Exec = C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search]
@ = http:\edits.mywebsearch.com\toolbaredits\menusearch.jht (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@ = 000 (File not found)

>>>>> Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{5464D816-CF16-4784-B9F3-75C0DB52B499} = YMailShellExt Class ( HKLM = C:\Program Files\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.) )
{5CA3D70E-1895-11CF-8E15-001234567890} = DriveLetterAccess ( HKLM = C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.) )
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = VpshellEx Class ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\LDVPMenu]
@ = {BDA77241-42F6-11d0-85E2-00AA001FE28C} ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@ = {5464D816-CF16-4784-B9F3-75C0DB52B499} ( HKLM = C:\Program Files\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers\igfxcui]
@ = {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} ( HKLM = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu]
@ = {BDA77241-42F6-11d0-85E2-00AA001FE28C} ( HKLM = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}]
- PDF Shell Extension ( HKLM = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll (Adobe Systems, Inc.) )

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{385E8FA0-FCEC-4691-AEBA-E673DAC15502}] ( Intel(R) PRO/Wireless 2200BG Network Connection )
DefaultGateway =
DhcpDefaultGateway = 192.168.1.1;
DhcpIPAddress = 192.168.1.101
DhcpNameServer = 74.137.112.196 74.137.112.195
DhcpServer = 192.168.1.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer = 85.255.115.52,85.255.112.202
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7254E6F4-AF2E-4CB5-8351-8D50358BEBB1}] ( Broadcom 440x 10/100 Integrated Controller )
DefaultGateway =
DhcpIPAddress = 192.168.0.65
DhcpServer = 192.168.0.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer = 85.255.115.52,85.255.112.202
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AA6B4021-4E25-4233-A5AF-A8F30ABE2D77}] ( 1394 Net Adapter )
DefaultGateway =
DhcpNameServer = 85.255.115.52,85.255.112.202
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer = 85.255.115.52,85.255.112.202
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

»»»»»»»»»»»»»»»»»»»» Files Created Within 60 Days »»»»»»»»»»»»»

C:\Documents and Settings\Wilhite\My Documents\PAIN002596328021320071IDC[1].pdf [Ver = | Size = 9462 bytes | Created Date = 3/1/2007 4:27:16 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Ad-Aware SE Personal.lnk [Ver = | Size = 841 bytes | Created Date = 3/21/2007 2:01:33 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Adobe Reader 7.0.lnk [Ver = | Size = 1740 bytes | Created Date = 3/21/2007 1:52:09 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk [Ver = | Size = 1876 bytes | Created Date = 2/18/2007 12:00:34 PM | Attr = ]
C:\Documents and Settings\Wilhite\Desktop\abc.exe Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Created Date = 3/21/2007 5:05:59 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\abc.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\APA Basics.ppt [Ver = | Size = 242688 bytes | Created Date = 2/21/2007 8:58:49 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\APA Basics.ppt:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\GROUP PORTION.doc [Ver = | Size = 27136 bytes | Created Date = 3/19/2007 6:22:03 AM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\GROUP PORTION.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\LimeWire 4.8.1.lnk [Ver = | Size = 1578 bytes | Created Date = 2/2/2007 9:58:15 PM | Attr = ]
C:\Documents and Settings\Wilhite\Desktop\Phase 3 Discussion Board.doc [Ver = | Size = 26624 bytes | Created Date = 3/19/2007 6:21:09 AM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Phase 3 Discussion Board.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Phase 3 Group Portion.doc [Ver = | Size = 964 bytes | Created Date = 3/20/2007 9:18:39 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Phase 3 Group Portion.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Sara Petersen.doc [Ver = | Size = 31744 bytes | Created Date = 3/19/2007 6:22:43 AM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Sara Petersen.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Spybot - Search & Destroy.lnk [Ver = | Size = 933 bytes | Created Date = 3/21/2007 1:19:03 PM | Attr = ]
C:\Documents and Settings\Wilhite\Desktop\Thumbs.db [Ver = | Size = 5120 bytes | Created Date = 3/15/2007 2:26:33 PM | Attr = HS]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Thumbs.db:encryptable (0 bytes)
C:\Documents and Settings\Wilhite\Desktop\winpfind.exe [Ver = | Size = 264211 bytes | Created Date = 3/21/2007 5:33:58 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\winpfind.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [Ver = | Size = 1757 bytes | Created Date = 3/21/2007 1:52:09 PM | Attr = ]
C:\WINDOWS\OpPrintServer.INI [Ver = | Size = 0 bytes | Created Date = 2/18/2007 12:01:20 PM | Attr = ]
C:\WINDOWS\vpc32.INI [Ver = | Size = 0 bytes | Created Date = 3/15/2007 3:04:52 PM | Attr = ]
C:\WINDOWS\System32\epoPGPsdk.dll PGP Corporation [Ver = 3.5.3 | Size = 1495552 bytes | Created Date = 3/15/2007 12:19:47 PM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.TMP [Ver = | Size = 1602 bytes | Created Date = 3/15/2007 12:54:35 PM | Attr = ]
C:\WINDOWS\System32\profile.dat [Ver = | Size = 40 bytes | Created Date = 3/15/2007 12:30:30 PM | Attr = ]
C:\WINDOWS\System32\S32EVNT1.DLL Symantec Corporation [Ver = 12.1.2.1 | Size = 48816 bytes | Created Date = 3/15/2007 12:28:21 PM | Attr = ]
C:\WINDOWS\System32\drivers\SYMEVENT.SYS Symantec Corporation [Ver = 12.1.2.1 | Size = 109744 bytes | Created Date = 3/15/2007 12:28:21 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» Files Modified Within 30 Days »»»»»»»»»»»»»

C:\hiberfil.sys [Ver = | Size = 796327936 bytes | Modified Date = 3/21/2007 2:41:48 PM | Attr = HS]
C:\Documents and Settings\Wilhite\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [Ver = | Size = 83456 bytes | Modified Date = 3/16/2007 5:39:56 PM | Attr = ]
C:\Documents and Settings\Wilhite\Local Settings\Application Data\IconCache.db [Ver = | Size = 4287434 bytes | Modified Date = 3/1/2007 5:27:48 PM | Attr = H ]
C:\Documents and Settings\Wilhite\My Documents\BackCompat_01-2007.zip [Ver = | Size = 10993720 bytes | Modified Date = 3/17/2007 9:22:26 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\BackCompat_01-2007.zip:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\My Documents\PAIN002596328021320071IDC[1].pdf [Ver = | Size = 9462 bytes | Modified Date = 3/1/2007 5:27:18 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Ad-Aware SE Personal.lnk [Ver = | Size = 841 bytes | Modified Date = 3/21/2007 3:01:34 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Adobe Reader 7.0.lnk [Ver = | Size = 1740 bytes | Modified Date = 3/21/2007 2:52:10 PM | Attr = ]
C:\Documents and Settings\Wilhite\Desktop\abc.exe Soeperman Enterprises Ltd. [Ver = 1.99.0001 | Size = 218112 bytes | Modified Date = 3/21/2007 6:06:06 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\abc.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\APA Basics.ppt [Ver = | Size = 242688 bytes | Modified Date = 2/21/2007 9:58:52 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\APA Basics.ppt:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\GROUP PORTION.doc [Ver = | Size = 27136 bytes | Modified Date = 3/19/2007 7:22:08 AM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\GROUP PORTION.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Phase 3 Discussion Board.doc [Ver = | Size = 26624 bytes | Modified Date = 3/19/2007 7:21:14 AM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Phase 3 Discussion Board.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Phase 3 Group Portion.doc [Ver = | Size = 964 bytes | Modified Date = 3/20/2007 10:18:44 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Phase 3 Group Portion.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Sara Petersen.doc [Ver = | Size = 31744 bytes | Modified Date = 3/19/2007 7:22:48 AM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Sara Petersen.doc:Zone.Identifier (26 bytes)
C:\Documents and Settings\Wilhite\Desktop\Spybot - Search & Destroy.lnk [Ver = | Size = 933 bytes | Modified Date = 3/21/2007 2:19:04 PM | Attr = ]
C:\Documents and Settings\Wilhite\Desktop\Thumbs.db [Ver = | Size = 5120 bytes | Modified Date = 3/15/2007 3:26:34 PM | Attr = HS]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Thumbs.db:encryptable (0 bytes)
C:\Documents and Settings\Wilhite\Desktop\winpfind.exe [Ver = | Size = 264211 bytes | Modified Date = 3/21/2007 6:34:04 PM | Attr = ]
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\winpfind.exe:Zone.Identifier (26 bytes)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [Ver = | Size = 1757 bytes | Modified Date = 3/21/2007 2:52:10 PM | Attr = ]
C:\WINDOWS\bootstat.dat [Ver = | Size = 2048 bytes | Modified Date = 3/21/2007 2:41:50 PM | Attr = S]
C:\WINDOWS\randseed.rnd [Ver = | Size = 512 bytes | Modified Date = 3/14/2007 5:55:10 PM | Attr = ]
C:\WINDOWS\vpc32.INI [Ver = | Size = 0 bytes | Modified Date = 3/15/2007 4:04:54 PM | Attr = ]
C:\WINDOWS\System32\fyxkaah.dll [Ver = | Size = 7168 bytes | Modified Date = 3/17/2007 12:59:56 PM | Attr = S]
C:\WINDOWS\System32\perfc009.dat [Ver = | Size = 41584 bytes | Modified Date = 3/15/2007 1:54:36 PM | Attr = ]
C:\WINDOWS\System32\perfh009.dat [Ver = | Size = 314390 bytes | Modified Date = 3/15/2007 1:54:36 PM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.TMP [Ver = | Size = 1602 bytes | Modified Date = 3/15/2007 1:54:36 PM | Attr = ]
C:\WINDOWS\System32\profile.dat [Ver = | Size = 40 bytes | Modified Date = 3/17/2007 12:59:24 PM | Attr = ]
C:\WINDOWS\System32\wpa.dbl [Ver = | Size = 2206 bytes | Modified Date = 3/21/2007 2:42:26 PM | Attr = ]

»»»»»»»»»»»»»»»»»»»» File String Scan (Non-Microsoft Only) »»»»»
@Alternate Data Stream - C:\Documents and Settings\All Users\Application Data\TEMP:ECF5194F (126 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\07 NCO Exchange Announcement.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\Accident Avoidance Training for June.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\BackCompat_01-2007.zip:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\RememberitWell.pps:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\STG15283:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\My Documents\Thumbs.db:encryptable (0 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\abc.exe:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\Documents and Settings\Wilhite\Desktop\abc.exe (Soeperman Enterprises Ltd.)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\APA Basics.ppt:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Budget Planner Demo.xls:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\GROUP PORTION.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Phase 3 Discussion Board.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Phase 3 Group Portion.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Sara Petersen.doc:Zone.Identifier (26 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\Thumbs.db:encryptable (0 bytes)
@Alternate Data Stream - C:\Documents and Settings\Wilhite\Desktop\winpfind.exe:Zone.Identifier (26 bytes)
[PEC2 , ]C:\WINDOWS\System32\dfrg.msc ()
[Thawte Consulting , USERTRUST , ]C:\WINDOWS\System32\epoPGPsdk.dll (PGP Corporation)
[UPX! , UPX0 , ]C:\WINDOWS\System32\fyxkaah.dll ()
[PEC2 , ]C:\WINDOWS\System32\KGyGaAvL.sys ()
[winsync , ]C:\WINDOWS\System32\wbdbase.deu ()

< End of report >
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm

Unread postby wng_z3r0 » March 21st, 2007, 7:47 pm

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe
Do NOT run it yet.
______________________________

Please download the trial version of Ewido anti-malware 3.5 from here:
http://www.ewido.net/en/download/
  • Install Ewido anti-malware.
  • When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
  • When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
  • The program will prompt you to update. Click the Ok button.
  • The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
  • On the left-hand side of the main screen click the Update Button.
  • Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.


Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________



Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

--------------------------------

Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido, and run a full scan.
  • Click on Scanner
  • Click on Settings
    • Under How to scan all boxes should be checked
    • Under Unwanted Software all boxes should be checked
    • Under What to scan select Scan every file
    • Click on Ok
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
  • Click Save Report button
  • Save the report to your Desktop
Close Ewido and Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

Please post:
  1. c:\rapport.txt
  2. report.txt (on your desktop)
  3. Ewido log
  4. A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

I scanned it and here's my logs one at a time: 1

Unread postby joshandsara » March 21st, 2007, 10:31 pm

SmitFraudFix v2.152

Scan done at 19:56:35.01, Wed 03/21/2007
Run from C:\Documents and Settings\Wilhite\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm

:2

Unread postby joshandsara » March 21st, 2007, 10:37 pm

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:20:47 PM 3/21/2007

+ Scan result:



HKU\S-1-5-21-3386146715-3900537895-2555058154-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202A961F-23AE-42B1-9505-FFE3C818D717} -> Adware.Generic : Ignored.
C:\Documents and Settings\Wilhite\Desktop\SmitfraudFix.zip/SmitfraudFix/SmiUpdate.exe -> Adware.SmiUpdate : Ignored.
C:\Documents and Settings\Wilhite\Desktop\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : Ignored.
C:\Documents and Settings\Wilhite\My Documents\My Videos\WarezP2P.exe -> Downloader.Small : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10B.tmp -> TrackingCookie.2o7 : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10F.tmp -> TrackingCookie.Advertising : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33F.tmp -> TrackingCookie.Advertising : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq110.tmp -> TrackingCookie.Atdmt : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq111.tmp -> TrackingCookie.Bfast : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp -> TrackingCookie.Bluestreak : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq340.tmp -> TrackingCookie.Bluestreak : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq116.tmp -> TrackingCookie.Bridgetrack : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq343.tmp -> TrackingCookie.Bridgetrack : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq114.tmp -> TrackingCookie.Burstnet : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq341.tmp -> TrackingCookie.Burstnet : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq115.tmp -> TrackingCookie.Casalemedia : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq342.tmp -> TrackingCookie.Casalemedia : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq117.tmp -> TrackingCookie.Com : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq119.tmp -> TrackingCookie.Coremetrics : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11A.tmp -> TrackingCookie.Doubleclick : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11C.tmp -> TrackingCookie.Fastclick : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11D.tmp -> TrackingCookie.Findwhat : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11E.tmp -> TrackingCookie.Goclick : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq345.tmp -> TrackingCookie.Hitbox : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq346.tmp -> TrackingCookie.Hitbox : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11F.tmp -> TrackingCookie.Linksynergy : Ignored.
C:\WINDOWS\Temp\Cookies\wilhite@image.masterstats[1].txt -> TrackingCookie.Masterstats : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq120.tmp -> TrackingCookie.Mediaplex : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq348.tmp -> TrackingCookie.Paycounter : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq124.tmp -> TrackingCookie.Pointroll : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq118.tmp -> TrackingCookie.Pro-market : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq125.tmp -> TrackingCookie.Questionmarket : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq126.tmp -> TrackingCookie.Realmedia : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12C.tmp -> TrackingCookie.Realmedia : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11B.tmp -> TrackingCookie.Ru4 : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq344.tmp -> TrackingCookie.Ru4 : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp -> TrackingCookie.Serving-sys : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq127.tmp -> TrackingCookie.Serving-sys : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33E.tmp -> TrackingCookie.Specificclick : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq128.tmp -> TrackingCookie.Tacoda : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq129.tmp -> TrackingCookie.Tribalfusion : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12A.tmp -> TrackingCookie.Webtrendslive : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10D.tmp -> TrackingCookie.Yieldmanager : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33D.tmp -> TrackingCookie.Yieldmanager : Ignored.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12B.tmp -> TrackingCookie.Zedo : Ignored.


::Report end
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm

:3

Unread postby joshandsara » March 21st, 2007, 10:41 pm

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm

:4 new highjackthis.log

Unread postby joshandsara » March 21st, 2007, 10:43 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:43:01 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wilhite\Desktop\abc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi ... xdm082YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{385E8FA0-FCEC-4691-AEBA-E673DAC15502}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{7254E6F4-AF2E-4CB5-8351-8D50358BEBB1}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA6B4021-4E25-4233-A5AF-A8F30ABE2D77}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.202
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm

updated fixwareout log

Unread postby joshandsara » March 21st, 2007, 11:05 pm

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~2\\VPTray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
joshandsara
Active Member
 
Posts: 7
Joined: March 21st, 2007, 3:08 pm

Unread postby wng_z3r0 » March 21st, 2007, 11:41 pm

oubleclick on HijackThis.
Then click on the button that says run a system scan
Then place a check next to the following items: (don't hit fix just yet!)

O17 - HKLM\System\CCS\Services\Tcpip\..\{385E8FA0-FCEC-4691-AEBA-E673DAC15502}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{7254E6F4-AF2E-4CB5-8351-8D50358BEBB1}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA6B4021-4E25-4233-A5AF-A8F30ABE2D77}: NameServer = 85.255.115.52,85.255.112.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.202
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.202


Now close all open programs (including your internet browsers
click "fix (lower left hand corner of HijackThis.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby wng_z3r0 » March 24th, 2007, 10:05 am

Ok:

You need to do three things:

Step 1:Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java(TM) SE Runtime Environment 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.


Step 2:Financial details

Here is what has been happening to your computer:
1.You type in a website like http://www.mybank.com
2. Your computer needs to find out where http://www.mybank.com is located on the internet
3. Normally it asks your internet service provider (ISP)
4. However, since you got infected, it is now asking a spyware server "where is http://www.mybank.com"
5. The spyware server could say "mybank.com is HERE, where here is a page that *looks* like mybank.com but is a fake site
6. They steal your financial details and then pass you to the real mybank.com


Everything up to step 4 is accurate. Steps 5 and 6 are speculative. I don't actually know what all goes on at the spyware end. However the potential for identity theft is there. As such, please change your passwords etc where you feel it is appropriate.

Step 3:HJT Log
Please post one final hijackThis log for me to see.

thanks,
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby NonSuch » April 4th, 2007, 2:30 am

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware