Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

black screen and WARNING message that my computer is infectd

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

black screen and WARNING message that my computer is infectd

Unread postby vikto » August 25th, 2005, 11:42 pm

i have windows 98 se and use ie6. i have a permanent message on my
computer screen. that says WARNING your computer may have adware
and spyware to clean it CLICK HERE. when i click i get to PSGUARD.COM.
i have tried to contact PSGUARD with emails asking them to tell me how to remove their ad to no avail. the bug also makes it impossible to open the display icon in settings except to screen saver. i have mccafee antivirus and firewall and have tried several other anti virus programs with no help. i would appreciate any help on this one.
this is the first time i have posted so i hope i do it correctly.
vikto :?:
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm
Advertisement
Register to Remove

Unread postby vikto » August 27th, 2005, 2:46 pm

Logfile of HijackThis v1.99.1
Scan saved at 2:39:07 PM, on 8/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\TCAUDIAG.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MonsterSoundTray] C:\Program Files\Monster Sound II\FreeCtrl.exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\RunServices: [Registry Cleaner] "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/inclu ... ontrol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

Unread postby Kimberly » August 28th, 2005, 2:09 am

Hello vikto,

Welcome to the forum, I am checking your log now and will return as soon as I have researched all the items.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » August 28th, 2005, 12:00 pm

Hello vikto,

Please read these instructions carefully and print them out because you will not be able to connect to the internet during most of this fix! Be sure to follow ALL instructions!

I would like you to download a few tools, don't use them until you are instructed to do so.
  1. Download and install this free disk cleanup utility called Cleanup! to your Desktop or to your usual Download Folder.
    http://cleanup.stevengould.org/
  2. Please download SmitRem.exe to your Desktop.
    http://noahdfear.geekstogo.com/click%20cou.../click.php?id=1
    Double-click the smitRem.exe and it will extract the files to a smitRem folder on your Desktop.
______________________________

If you already have the latest Ad-Aware SE 1.06 version, skip to Run Ad-Aware. Otherwise download Ad-Aware SE 1.06 from here and install it. Uncheck all the options before leaving the Install Wizard.

Run Ad-Aware and Click on the World Icon. Click the Connect button on the webupdate screen. If an update is available download it and install it. Click the Finish button to go back to the main screen.

Click on the Gear Icon (second from the left at the top of the window) to access the Configuration Window.

Click on the General Button on the left and select in green
  • Under Safety
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Under Definitions
    • Prompt to udate outdated definitions - set to 7 days
Click on the Scanning Button of the left and select in green
  • Under Driver, Folders & Files
    • Scan Within Archives
  • Under Select drives & folders to scan
    • choose all hard drives
  • Under Memory & Registry
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
Click on the Advanced Button on the left and select in green
  • Under Shell Integration
    • Move deleted files to Recycle Bin
  • Under Logfile Detail Level
    • Include addtional object information
    • DESELECT - Include negligible objects information (make it show a red X)
    • Include environment information
  • Under Alternate Data Streams
    • Don't log streams smaller than 0 bytes
    • Don't log ADS with the following names: CA_INOCULATEIT
Click the Tweak Button and select in green
  • Under the Scanning Engine (Click on the + sign to expand)
    • DESELECT Unload recognized processes & modules during scan (make it show a red X)
    • Scan registry for all users instead of current user only
  • Under the Cleaning Engine (Click on the + sign to expand)
    • Always try to unload modules before deletion
    • During Removal, unload Explorer and IE if necessary
    • Let Windows remove files in use at next reboot
  • Under the Log Files (Click on the + sign to expand)
    • Include basic Ad-aware SE settings in logfile
    • Include additional Ad-aware SE settings in logfile
    • Include reference summarry in log file
    • Include alternate data stream details in log file
Click on Proceed to save the settings and close Ad-Aware
______________________________

Make sure that you can see hidden files.
  1. Open My Computer.
  2. Select the View menu and click Folder Options.
  3. Select the View Tab.
  4. In the Hidden files section select Show all files.
  5. Click OK.
______________________________

I would recommend that you remove BestPopupKiller by Swanksoft, this vendor is actually prosecuted by FTC
See http://www.spywarewarrior.com/rogue_anti-spyware.htm and search for Swanksoft in the page.

Go to your Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

Popup killer by Swanksoft or BestPopupKiller ---> Only if you decide to remove it

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • As the computer starts, press and hold down the F8 key until the 98/ME Startup Menu appears.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present.

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
---> Only if you decide to remove it
O4 - HKCU\..\RunServices: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup ---> Only if you decide to remove it
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Close ALL windows and browsers except HijackThis and click Fix Checked.
______________________________

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\BestPopUpKiller ---> Only if you decide to remove it
C:\PROGRAM FILES\NEED2FIND
______________________________

Open the smitRem Folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Run Ad-Aware and Click on the Scan Now Button
  • Choose Perform Full System Scan
  • DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
______________________________

Run CleanUp! and check the custom settings to your liking under Options, but be sure that the following Detailed Settings are checked:
  • Delete Cookies
  • Delete Prefetch files (this option might not be available under windows 98 SE or might be named differently)
  • Scan local drives for temporary files
  • CleanUp! All Users
______________________________

Reset your Web Settings. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button.
Remove the check by View my Active desktop as a web page.
Click Ok then Apply and Ok.
______________________________

Reboot your computer in Normal Mode.

Run this online virus scan: Panda ActiveScan - Save the results from the scan!
______________________________

Post a new HijackThis log along with the results from ActiveScan and the smitfiles.txt.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

black screen WARNING message

Unread postby vikto » August 29th, 2005, 12:19 am

thank you kimberly. i am working on getting your suggestions done . i haven't figured out how to send the files you requested yet. you have apparently fixed my problem . no more warning screen and i can change my screen colors etc now. thanks very much and i will send the files as soon as i check again how to do it.
:lol: vikto
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

Unread postby Kimberly » August 29th, 2005, 12:50 am

Hello vikto,

Locate smitfiles.txt in Windows Explorer (c:\smitfiles.txt), double-click on the file and it will open in Notepad. Click Edit > Select All and then Edit > Copy. Now Paste the content in your reply here. (Just like you paste the content of the HijackThis log.)

Locate the Panda ActiveScan log and perform the same steps.

Run HijackThis again and copy / paste the log here.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

black screen and warning

Unread postby vikto » August 29th, 2005, 6:12 pm

i'm having fun here kim.i will have to download hijackthis again and will send it in another post.
panda
Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0

smitfiles

smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


intell32.exe
oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll INFECTED!! :(
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

black screen warning

Unread postby vikto » August 29th, 2005, 6:20 pm

hijack this
Logfile of HijackThis v1.99.1
Scan saved at 6:17:41 PM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\TCAUDIAG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MonsterSoundTray] C:\Program Files\Monster Sound II\FreeCtrl.exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/inclu ... ontrol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

Unread postby Kimberly » August 30th, 2005, 12:08 pm

Hello vikto,

Please read these instructions carefully and print them out because you will not be able to connect to the internet during most of this fix! Be sure to follow ALL instructions!

Click Start then Run and Type command and click Ok

In the DOS Window, type:

copy c:\windows\system\wininet.dll c:\windows\desktop

Close the DOS Window and reboot.
______________________________

Scan the Desktop Folder (c:\windows\desktop) with eTrust Web Scanner. When done, make sure the box is checked for wininet.dll and click cure.
______________________________

Reboot your computer in Command prompt only.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • As the computer starts, press and hold down the F8 key until the 98/ME Startup Menu appears.
  • Ensure that the Command prompt only option is selected.
  • Press Enter.
Type the following lines at the prompt, and hit Enter after each line you type:

del c:\windows\system\wininet.dll

del c:\windows\system\oleext.dll

copy c:\windows\desktop\wininet.dll c:\windows\system


If you get a prompt asking you if you really want to delete a file, confirm deletion. If you get a prompt asking you if you want to replace wininet.dll, confirm replacement.

Reboot your computer in Safe Mode
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • As the computer starts, press and hold down the F8 key until the 98/ME Startup Menu appears.
  • Ensure that the Safe Mode option is selected.
  • Press Enter.
______________________________

Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present.

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe

Close ALL windows and browsers except HijackThis and click Fix Checked.

Using Windows Explorer, Search and Delete this Folder if listed:

C:\Program Files\PSGuard

Reboot in Normal Mode
______________________________

We need to check the file C:\Windows\System\wininet.dll to see if it got cleaned up. Go to Jotti's malware scan at http://virusscan.jotti.org/ and upload the file for scanning. Let me know the results. (Highlight the results, select copy and paste them in your reply.)

Note: If you have trouble reaching Jotti's, upload the file at Virus Total and save the results.
http://www.virustotal.com

Post a new HijackThis log.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

black screen warning message

Unread postby vikto » August 30th, 2005, 8:36 pm

hi kimberly
here are latest scans.and thanks again.

jotti
Service load:
0% 100%
File: wininet.dll Status:
OK MD5 5c21dfea0ed8d98aac4db02da3e4b35b Packers detected:
-
Scanner results AntiVir
Found nothing ArcaVir
Found nothing Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found nothing F-Prot Antivirus
Found nothing Fortinet
Found nothing Kaspersky Anti-Virus
Found nothing NOD32
Found nothing Norman Virus Control
Found nothing UNA
Found nothing VBA32
Found nothing


hijack

Logfile of HijackThis v1.99.1
Scan saved at 8:30:48 PM, on 8/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\TCAUDIAG.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MonsterSoundTray] C:\Program Files\Monster Sound II\FreeCtrl.exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE.COM\AGENT\MCREGWIZ.EXE /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/inclu ... ontrol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

Unread postby Kimberly » August 31st, 2005, 11:50 pm

Hello vikto,

Sorry for the delayed response, I wasn't able to be much around today.

The scanner results are perfect, wininet.dll is clean now. :)

Your HijackThis log is clean. I want to be sure that there are no more leftovers, so I would like you to perform the following:

Download and install the 15 days trial of Counterspy.
Make sure the definitions are updated to version 216 and up by clicking on File, Check for updates. Let it perform a full scan and clean up everything it finds. If possible, post the report / log as a reply here.

Also, how is your computer behaving now ? Any annoying popups or alerts ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

black screen and warning message

Unread postby vikto » September 1st, 2005, 9:13 pm

:) hello kimberly
my computer is working quite well,thanks to you.
i have an icon for wininet.dll on the screen. can i just delete the icon or should i leave it alone.
i am sending the only report from counterspy that i was able to copy and paste.
in case this the end of your effort i want to thank you for your time and expertise. i hope you are able to help others too.
vSpyware Scan Details
Start Date: 9/1/05 8:28:38 PM
End Date: 9/1/05 8:34:59 PM
Total Time: 6 mins 21 secs

Detected spyware

Trojan.Desktophijack Trojan more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39603>
Details: Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer.
Status: Ignored
High spyware - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes


Cydoor.TOPicks Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=13112>
Details: TOPicks is adware implemented as an Internet Explorer toolbar. TOPicks shows targeted links to sponsored sites.
Status: Deleted
Elevated spyware - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\software\classes\interface\{258a3625-183b-4477-aee2-ea54df6d878d}
HKEY_LOCAL_MACHINE\software\classes\interface\{258a3625-183b-4477-aee2-ea54df6d878d}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\software\classes\interface\{258a3625-183b-4477-aee2-ea54df6d878d}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\software\classes\interface\{258a3625-183b-4477-aee2-ea54df6d878d}\TypeLib {676F6D1D-C559-42A9-860B-27C1477B7179}
HKEY_LOCAL_MACHINE\software\classes\interface\{258a3625-183b-4477-aee2-ea54df6d878d}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\software\classes\interface\{258a3625-183b-4477-aee2-ea54df6d878d} IDMan25


Adw.PSGuard Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=40312>
Details: PSGuard is a fraudulent anti-spyware program which uses desktop advertising to scare users into paying for the product.
Status: Deleted
Elevated spyware - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057E242F-2947-4e0a-8E61-A11345D97EA6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69} ISafeMode
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159} IScaner
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47} IFoundCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09} IRTObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7}\TypeLib {982392F9-9C65-48B4-B667-3459C46630D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7} IWindowLayer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993} _ISafeModeEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4} _IQuarantineEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411} IRealTime
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606} IScanStatistic
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF} IKilledProcessInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016} _IUpdateEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F}\TypeLib {982392F9-9C65-48B4-B667-3459C46630D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07} _ILicenseEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F} _IWindowLayerEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}\1.0\FLAGS 0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}\1.0\0\win32 C:\PROGRAM FILES\PSGUARD\WNDSYSTEM.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}\1.0\HELPDIR C:\PROGRAM FILES\PSGUARD\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}\1.0 WndLayer 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F61D1CE1-5199-4B57-B59E-C6819EA92F3B}\1.0\FLAGS 0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F61D1CE1-5199-4B57-B59E-C6819EA92F3B}\1.0\0\win32 C:\PROGRAM FILES\PSGUARD\CORE.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F61D1CE1-5199-4B57-B59E-C6819EA92F3B}\1.0\HELPDIR C:\PROGRAM FILES\PSGUARD\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F61D1CE1-5199-4B57-B59E-C6819EA92F3B}\1.0 AVECore 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSGuard spyware remover
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSGuard spyware remover DisplayName PSGuard spyware remover
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSGuard spyware remover UninstallString "C:\Program Files\PSGuard\uninstall.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License Data InstallTime=1c5ac3b:918222c0 LastRunTime=1c5adb3:1f545960
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard InstallationID {48130B21-180D-11DA-84F2-000102EDDF60}
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard VersionInfo APP_VER=3.3.0.4 DATABASE_VER=3.3.0.3 DATE=17/08/05 SIGNATURES=51780
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard RegistrationUrl http://www.psguard.com/register/9.0.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard C:\Program Files\PSGuard
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard InstallDir C:\Program Files\PSGuard
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard DatabaseFile C:\Program Files\PSGuard\database.pkg
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard ResourceDll C:\Program Files\PSGuard\Localization.dll
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard SCAN_DEPTH 1
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard SCAN_PRIORITY 0
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard QuarantineLocation C:\Program Files\PSGuard\Quarantine
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard MinOnStartup 0
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard ScanOnStartup 1
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard StartAtWinStartup 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard EnableRTMonitoring 1
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard AlwaysBlockChanges 0
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard AlwaysBlockWhenNoAV 1
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard PerformUpdate 1
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard UpdateInterval 3
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard MGuid {48130B20-180D-11DA-84F2-000102EDDF60}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43} IFoundObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E} IUpdateInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} IT -1125279050
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B}\TypeLib {982392F9-9C65-48B4-B667-3459C46630D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B} IWindowCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} No 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9} _IRealTimeEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28FEDB90-53C7-4928-994A-CEE782606507}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28FEDB90-53C7-4928-994A-CEE782606507}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28FEDB90-53C7-4928-994A-CEE782606507}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28FEDB90-53C7-4928-994A-CEE782606507}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28FEDB90-53C7-4928-994A-CEE782606507}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{28FEDB90-53C7-4928-994A-CEE782606507} ItheApp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9}\TypeLib {982392F9-9C65-48B4-B667-3459C46630D1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9} IWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9} IUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4723879B-8F52-4BE7-9994-626AFA539366}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4723879B-8F52-4BE7-9994-626AFA539366}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4723879B-8F52-4BE7-9994-626AFA539366}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4723879B-8F52-4BE7-9994-626AFA539366}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4723879B-8F52-4BE7-9994-626AFA539366}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4723879B-8F52-4BE7-9994-626AFA539366} IQuarantine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4} IKilledProcessesCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661} IVersionInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601} ILicense
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3} _IScanerEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F} IOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159}\TypeLib {F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159}\TypeLib Version 1.0


SennaSpy Trojan Generator 3.01 Trojan more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=40972>
Details: Senna is a tool to generate new trojan as per requirement of the user.
Status: Deleted
Elevated spyware - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.

Infected files detected
c:\windows\st6unst.001


My Search Bar Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14832>
Status: Deleted
Moderate spyware - Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
HKEY_CLASSES_ROOT\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32 C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
HKEY_CLASSES_ROOT\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}


KaZaA P2P more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=7631>
Details: Kazaa is a Peer to Peer file sharing application that uses some adware advertising as well as installs a number of thrid party adware software on your computer.
Status: Deleted
Low spyware - Low risk threats pose a very low risk or no immediate danger to your computer or your privacy, however these types of applications may profile user online habits, but only according to specific privacy policies stated in the applications End-User License. These types of threats generally borderline on being a threat to being a standard application that has a complex license agreement that you knowingly installed.

Infected files detected
c:\program files\kazaa\my shared folder\mormon tabernacle choir - you'll never walk alone.mp3
c:\program files\kazaa\my shared folder\ray conniff - you'll never walk alone.mp3
c:\program files\kazaa\bgp2p\plugins\ve.cvd
c:\program files\kazaa\bgp2p\plugins\ve.ivd
c:\program files\kazaa\bgp2p\plugins\ve.xmd
c:\program files\kazaa\bgp2p\plugins\vedata.cvd
c:\program files\kazaa\bgp2p\plugins\viza.xmd
c:\program files\kazaa\bgp2p\plugins\wise.xmd
c:\program files\kazaa\bgp2p\plugins\xishield.xmd
c:\program files\kazaa\bgp2p\plugins\z.xmd
c:\program files\kazaa\bgp2p\plugins\zip.xmd
c:\program files\kazaa\bgp2p\plugins\zoo.xmd
c:\program files\kazaa\my shared folder\disney soundtracks - the tigger movie - winnie the pooh - pooh's lullabee.mp3
c:\program files\kazaa\bgp2p\versions.dat
c:\program files\kazaa\bgp2p\plugins.htm
c:\program files\kazaa\bgp2p\bdupd.dll
c:\program files\kazaa\data\{cfe92410-cb41-ee6e-0031-a9cb2227ca3d}
c:\program files\kazaa\data\{1c3fae1d-9707-68ff-9d3c-b13de97b6579}
c:\program files\kazaa\data\{9a1d3e2b-e5c7-686f-86e3-47003c6dd00b}
c:\program files\kazaa\data\{4e214f97-d88e-9b86-4025-3bf6edd16f1a}
c:\program files\kazaa\db\data1024.dbb
c:\program files\kazaa\db\data256.dbb
c:\program files\kazaa\db\np.tmp
c:\program files\kazaa\my shared folder\movie themes - romeo and juliet (classical).mp3
c:\program files\kazaa\db\k7tqkgkk_tssv125.dat
c:\program files\kazaa\my shared folder\soundtracks- movie themes - gettysburg.mp3
c:\program files\kazaa\my shared folder\morman tabernacle chori - silent night.mp3
c:\program files\kazaa\my shared folder\gospel - brooklyn tabernacle choir - you'll never walk alone.mp3
c:\program files\kazaa\my shared folder\elvis presley - i believe.mp3
c:\program files\kazaa\my shared folder\you'll never walk alone.mp3
c:\program files\kazaa\my shared folder\you'll never walk alone (2).mp3
c:\program files\kazaa\my shared folder\mormon tabernacle choir - you'll never walk alone (2).mp3
c:\program files\kazaa\my shared folder\connie francis - my happiness.mp3
c:\program files\kazaa\my shared folder\sarah mclachlan- arms of the angle.mp3
c:\program files\kazaa\bgp2p\plugins\emalware.ivd
c:\program files\kazaa\bgp2p\plugins\ace.xmd
c:\program files\kazaa\bgp2p\plugins\adsntfs.xmd
c:\program files\kazaa\bgp2p\plugins\alz.xmd
c:\program files\kazaa\bgp2p\plugins\arc.xmd
c:\program files\kazaa\bgp2p\plugins\arj.xmd
c:\program files\kazaa\bgp2p\plugins\bach.xmd
c:\program files\kazaa\bgp2p\plugins\bzip2.xmd
c:\program files\kazaa\bgp2p\plugins\cab.xmd
c:\program files\kazaa\my shared folder\timi yuro - you'll never walk alone.mp3
c:\program files\kazaa\bgp2p\plugins\cevakrnl.cvd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.ivd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.rvd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.xmd
c:\program files\kazaa\bgp2p\plugins\ceva_dll.cvd
c:\program files\kazaa\bgp2p\plugins\ceva_emu.cvd
c:\program files\kazaa\bgp2p\plugins\ceva_vfs.cvd
c:\program files\kazaa\bgp2p\plugins\chm.xmd
c:\program files\kazaa\bgp2p\plugins\cpio.xmd
c:\program files\kazaa\bgp2p\plugins\cran.cvd
c:\program files\kazaa\my shared folder\harry belafonte - turn around.mp3
c:\program files\kazaa\bgp2p\plugins\cran.ivd
c:\program files\kazaa\bgp2p\plugins\cran.xmd
c:\program files\kazaa\bgp2p\plugins\dbx.xmd
c:\program files\kazaa\bgp2p\plugins\docfile.xmd
c:\program files\kazaa\bgp2p\plugins\emalware.cvd
c:\program files\kazaa\bgp2p\plugins\nsis.xmd
c:\program files\kazaa\bgp2p\plugins\emalware.xmd
c:\program files\kazaa\bgp2p\plugins\epoc.xmd
c:\program files\kazaa\bgp2p\plugins\gzip.xmd
c:\program files\kazaa\bgp2p\plugins\ha.xmd
c:\program files\kazaa\my shared folder\mormon tabernacle choir - you'll never walk alone (1).mp3
c:\program files\kazaa\bgp2p\plugins\hlp.xmd
c:\program files\kazaa\bgp2p\plugins\hpe.cvd
c:\program files\kazaa\bgp2p\plugins\hpe.xmd
c:\program files\kazaa\bgp2p\plugins\hqx.xmd
c:\program files\kazaa\bgp2p\plugins\html.xmd
c:\program files\kazaa\bgp2p\plugins\imp.xmd
c:\program files\kazaa\bgp2p\plugins\inno.xmd
c:\program files\kazaa\bgp2p\plugins\instyler.xmd
c:\program files\kazaa\bgp2p\plugins\iso.xmd
c:\program files\kazaa\bgp2p\plugins\java.cvd
c:\program files\kazaa\my shared folder\mormon tabernacle choir _ok.mp3
c:\program files\kazaa\bgp2p\plugins\java.xmd
c:\program files\kazaa\bgp2p\plugins\jpeg.xmd
c:\program files\kazaa\bgp2p\plugins\lha.xmd
c:\program files\kazaa\bgp2p\plugins\lnk.xmd
c:\program files\kazaa\bgp2p\plugins\mbox.xmd
c:\program files\kazaa\bgp2p\plugins\mbx.xmd
c:\program files\kazaa\bgp2p\plugins\mdx.xmd
c:\program files\kazaa\bgp2p\plugins\mdx_97.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_97.ivd
c:\program files\kazaa\bgp2p\plugins\mdx_w95.cvd
c:\program files\kazaa\my shared folder\mormon tabernacle choir - handel's messiah -hallelujah chorus.mp3
c:\program files\kazaa\bgp2p\plugins\mdx_x95.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_xf.cvd
c:\program files\kazaa\bgp2p\plugins\mime.xmd
c:\program files\kazaa\bgp2p\plugins\mso.xmd
c:\program files\kazaa\bgp2p\plugins\na.cvd
c:\program files\kazaa\bgp2p\plugins\na.xmd
c:\program files\kazaa\bgp2p\plugins\nelf.cvd
c:\program files\kazaa\bgp2p\plugins\nelf.xmd
c:\program files\kazaa\bgp2p\plugins\update.txt
c:\program files\kazaa\bgp2p\plugins\objd.xmd
c:\program files\kazaa\my shared folder\lord's prayer.mp3
c:\program files\kazaa\bgp2p\plugins\pdf.xmd
c:\program files\kazaa\bgp2p\plugins\pst.xmd
c:\program files\kazaa\bgp2p\plugins\rar.xmd
c:\program files\kazaa\bgp2p\plugins\rpm.xmd
c:\program files\kazaa\bgp2p\plugins\rtf.xmd
c:\program files\kazaa\bgp2p\plugins\rup.cvd
c:\program files\kazaa\bgp2p\plugins\rup.xmd
c:\program files\kazaa\bgp2p\plugins\sdx.cvd
c:\program files\kazaa\bgp2p\plugins\sdx.ivd
c:\program files\kazaa\bgp2p\plugins\sdx.xmd
c:\program files\kazaa\my shared folder\fantasia barrino- i believe.mp3
c:\program files\kazaa\bgp2p\plugins\sfx.xmd
c:\program files\kazaa\bgp2p\plugins\swf.xmd
c:\program files\kazaa\bgp2p\plugins\tar.xmd
c:\program files\kazaa\bgp2p\plugins\td0.xmd
c:\program files\kazaa\bgp2p\plugins\thebat.xmd
c:\program files\kazaa\bgp2p\plugins\tnef.xmd
c:\program files\kazaa\bgp2p\plugins\unpack.cvd
c:\program files\kazaa\bgp2p\plugins\unpack.ivd
c:\program files\kazaa\bgp2p\plugins\unpack.xmd
c:\program files\kazaa\bgp2p\plugins\uudecode.xmd

Infected folders detected
c:\program files\kazaa
c:\program files\kazaa\my shared folder
c:\program files\kazaa\bgp2p
c:\program files\kazaa\licenses
c:\program files\kazaa\data
c:\program files\kazaa\db
c:\program files\kazaa\bgp2p\plugins

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Kazaa\Advanced
HKEY_CURRENT_USER\software\kazaa Tmp 0
HKEY_CURRENT_USER\Software\Kazaa\Advanced Status Installed
HKEY_CURRENT_USER\software\kazaa
HKEY_CURRENT_USER\software\kazaa\Transfer +
HKEY_CURRENT_USER\software\kazaa\Transfer NoUploadLimitWhenIdle 1
HKEY_CURRENT_USER\software\kazaa\Settings +
HKEY_CURRENT_USER\software\kazaa\Settings Date
HKEY_CURRENT_USER\software\kazaa\Settings UseCount 0
HKEY_CURRENT_USER\software\kazaa\Advanced Status Installed


Detected Spyware Cookies
ikto
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

Unread postby Kimberly » September 2nd, 2005, 11:44 am

Hello vikto,

We are almost done, just a few details to fix. From the CounterSpy log I see that you had Kazaa running. This program comes bundled with spyware unless you have the paid version. Although I don't recommend the install of such a program because very often you will get a lot of unwanted things, I suggest you take a look at this page:
Clean and Infected File Sharing Programs
______________________________

i have an icon for wininet.dll on the screen. can i just delete the icon or should i leave it alone.

You may delete the wininet.dll on you Desktop (screen)
______________________________

I would like you to download a few tools, don't use them until you are instructed to do so. I want to be sure that the spyware bundled with Kazaa is cleaned up.

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

Please download KazaaBegone from the following link and save it to a location you can find later if necessary. Create a folder for it on the C: drive called C:\KGone You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it KGone. Extract all the files from the zip archive into that folder. Open the KGone folder and double click KazaaBegone.exe. Follow the instructions given by the program.
______________________________

Run Sunbelt Counterspy and fix the ignored entry form the log and everything else it finds.

Trojan.Desktophijack Trojan more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39603>
Details: Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer.
Status: Ignored

______________________________

Run CleanUp! once more and reboot your computer.
______________________________

If you can not connect to the Internet after you did run KazaaBegone, please run the LSP-Fix program I had you download earlier.
  • Close all windows except LSPfix.
  • Put a check mark in the box I know what I am doing
  • Click on the Finish button.
  • Reboot and you should be able to get back on.
______________________________

I would like to perform a final check to see if there is something leftover to fix.

Run HijackThis, click on Open the Misc Tools Section, Put a checkmark in List also minor sections and List empty sections. Click on Generate StartupList log, anwser Yes and copy/past the content in your reply.
Click Back and Click on Scan. When the scan is finished, click Save Log and paste the content in your reply.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

black screen warning

Unread postby vikto » September 2nd, 2005, 9:28 pm

hello kimberly
i was unable to fix the trojan desktop. running the counterspy again
showed no troubles.
i did not need to run lspfix.
i have to ask if you are in france as the flag below your name shows?
here are logs from hijack this:
vikto

StartupList report, 9/2/05, 8:55:33 PM
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\TCAUDIAG.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MonsterSoundTray = C:\Program Files\Monster Sound II\FreeCtrl.exe
VortexTray = C:\WINDOWS\au30setp.exe 3
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
McAfee Guardian = "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
VSOCheckTask = "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
VirusScan Online = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
MCAgentExe = C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
TCASUTIEXE = TCAUDIAG.exe -on
MCUpdateExe = C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
SUNASDTSERV = C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
(Default) =
sunasServ = C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
winmodem = WINMODEM.101\wmexe.exe
McAfee Firewall = "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
McVsRte = C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
HistoryKill = C:\Program Files\HistoryKill\\histkill.exe /startup
Registry Cleaner = "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
Spyware Doctor = "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf

[PerUser_MSBackup_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 C:\WINDOWS\INF\applets1.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol_remove 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf

[MmoptMusicaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

[Theme_Windows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 C:\WINDOWS\INF\themes.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\UNDERW~2.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 2/9/2005, 20:43:42)

[rename]
NUL=C:\WINDOWS\Cookies\index.dat
NUL=C:\WINDOWS\TEMPOR~1\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A240 I2 D3 T4
LH C:\WINDOWS\AU30DOS.COM

--------------------------------------------------

C:\CONFIG.SYS listing:

*File is empty*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

LH AU30DOS.COM

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
(no name) - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
McAfee.com Update Check 08022005205438.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/C ... 9471527778

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://www.contentwatch.com/audit/inclu ... ontrol.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan ... asinst.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBSCAN.DLL
CODEBASE = http://www3.ca.com/securityadvisor/viru ... ebscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\CSLSP.DLL
Protocol #2: C:\WINDOWS\SYSTEM\CSLSP.DLL
Protocol #3: C:\WINDOWS\SYSTEM\CSLSP.DLL
Protocol #4: C:\WINDOWS\SYSTEM\CSLSP.DLL
Protocol #5: C:\WINDOWS\SYSTEM\CSLSP.DLL
Protocol #6: C:\WINDOWS\SYSTEM\CSLSP.DLL
Protocol #7: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #8: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #9: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #10: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #11: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #12: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #13: C:\WINDOWS\SYSTEM\CSLSP.DLL

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
TurboVBF: turbovbf.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 24,767 bytes
Report generated in 0.550 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Logfile of HijackThis v1.99.1
Scan saved at 9:00:43 PM, on 9/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\TCAUDIAG.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MonsterSoundTray] C:\Program Files\Monster Sound II\FreeCtrl.exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\TPT REGISTRY_CLEANER (TRIAL)\REGCLEAN.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/inclu ... ontrol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab :)
vikto
Active Member
 
Posts: 9
Joined: August 25th, 2005, 4:58 pm

Unread postby Kimberly » September 3rd, 2005, 12:33 am

Hello vikto,

i was unable to fix the trojan desktop. running the counterspy again
showed no troubles.

You mean that entry was still reported by CounterSpy but that you couldn't fix it ? Or was it gone when you did run CounterSpy again ?

Perform this small fix if CounterSpy still reports the Trojan.Desktophijack and let me know about it. Otherwise you may skip this step.

Copy/paste the following text into a new Notepad document. Make sure that you have one blank line at the end of the document as shown in the quoted text.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes]


Save it to your desktop as Fix.reg. Save it as :
File Type: All Files (not as a text document or it wont work).
Name: Fix.reg

If your OS doesn't have the File Type Option, save it as a text file but put the name between double quotes like this "Fix.reg"

Locate Fix.reg on your Desktop. If you see that the filename is Fix.reg.txt change it to Fix.reg
Double click Fix.reg When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.
______________________________

We made it, you're clean now, well done. :)

Let's try to keep it like that by following these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Download and install the following free programs
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's Hosts Manager here
Install Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Please let me know if everything runs smootly now. Don't hesite to post back if you notice something unusual.

Oh, I almost forgot to answer your question. ;) Yes, the flag is correct.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware