Tabbydaze Posted January 7, 2006 Report Share Posted January 7, 2006 I'm having trouble - I've read on some of the forum help pages and tried a few things. The pop ups are gone but still getting warnings from my scans. I have been scanning with a-squared, ewido and AVG. AVG was picking up a virus but today has shown none. a-sqaured is still showing something there. Any help would be great. Bare with me as this is the first time for me to try this with online help. I was able to track my 1st and only virus before, 2 yrs ago. No such luck or time on this one TabbyHere is the hijack this log Logfile of HijackThis v1.99.1Scan saved at 4:16:54 PM, on 1/7/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\SYS99.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\System32\alg.exeC:\Program Files\a-squared\a2guard.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Rhapsody\rhaphlpr.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmR3 - URLSearchHook: (no name) - {4483DF3D-6896-1EE5-BE10-342402D7527C} - C:\WINDOWS\Wadpaphk.dll (file missing)O2 - BHO: (no name) - {65718DEC-27B3-A0B3-3420-A8772CD3BEA9} - C:\WINDOWS\Wadpaphk.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exeO4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM32\nwinpsaw.exe CORN001O4 - HKLM\..\Run: [win3208351053236] C:\WINDOWS\win3208351053236.exeO4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [sP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.21\PlaxoHelper.exe -aO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinpsaw.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe Link to post Share on other sites
Dragon Posted January 8, 2006 Report Share Posted January 8, 2006 so that we have a little better idea what we are looking for could you please tell us which file asquared is saying it is finding. Link to post Share on other sites
Tabbydaze Posted January 8, 2006 Author Report Share Posted January 8, 2006 so that we have a little better idea what we are looking for could you please tell us which file asquared is saying it is finding.I'm re-running that right now and will post. Just to be sure i get this right, is there any special instruction on posting the results? Thanks , Tabby Link to post Share on other sites
Tabbydaze Posted January 8, 2006 Author Report Share Posted January 8, 2006 Ok lastnight when i ran a-sqaured it showed nothing. But their <sorry not sure what its called> thing that runs in the background was popping up with this - C:\WINDOWS\SYSTEM32\nwinpsaw.exeFound a possible trojan or spyware downloaderC:\WINDOWS\win3208351053236.exeFound a possible trojan or spyware downloaderI clicked to allow the first one to go once and the second one kept popping up over and over so i set it to allow it always and the pop up adds swarmed in after that. I've ran adaware an am now gonna scan agian with a-sqaure. This is taking me a little time because i have a baby in the house as well as 2 other kids. Can anyone tell me what scans to send in - maybe all at once? I usually can get on when the baby is napping and try to get things done but this could take days with me trying to send one type of scan at a time. Thanks so much - Tabby Link to post Share on other sites
Tabbydaze Posted January 8, 2006 Author Report Share Posted January 8, 2006 a-sqaured scan - Filename Diagnosis C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston family@adknowledge[1].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston family@tribalfusion[1].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston family@trafficmp[1].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston family@com[2].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][2].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston family@zedo[1].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston family@burstnet[2].txt Trace.TrackingCookie C:\Documents and Settings\Johnston Family\Cookies\johnston [email protected][1].txt Trace.TrackingCookie Link to post Share on other sites
Tabbydaze Posted January 8, 2006 Author Report Share Posted January 8, 2006 (edited) I'm not sure what to do, some file i need to get online is gone - i went to boot last night after getting some hard lag an when it restarted it wouldnt go online. When i tryed repair it said it was unable to detect IP or something. I'm gonna try to find the file i need - what do i do next? Someone please help me Already called my internet tech support people - I'm gonna "try" to find the file he referded me to - if anyone is on xp home sp2 that might have it (if possible) can ya e-mail me. Ok I'm going to add the hijack this log i just ran - should i be unplugged from internet and in safe mode to run it? Bare with me - I'm a house wife an mother the pc is my side job a-sqaured shows a clean scan from "scan your pc for malware" but on "check your system with hijack free" it shows things like bigfoot, alandinz.p , mutebot, pizaboy-a , flood. av, fan-a , rbot and many more in several diff places. Most listed came from the scan from system tray. I have scanned, scrubbed, and so on but still come up with those on the a-sqaured system scan. At one point i thought i was rid of trouble but then back agian. AVG is not picking up a virus anymore tho. Also i am having trouble with start-up programs that keep coming back. All i want on start up is win and needed anivirus and firewall control - i have delete4d zenop everywhere i can find it but it is still back, also something to do msn messenger. Please help Logfile of HijackThis v1.99.1Scan saved at 11:10:53 AM, on 1/8/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\win3208351053236.exeC:\WINDOWS\SYS99.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\wdfmgr.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\Program Files\a-squared\a2guard.exeC:\WINDOWS\SYSTEM32\nwinpsaw.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Internet Explorer\iexplore.exeC:\PROGRA~1\WINZIP\winzip32.exeC:\DOCUME~1\JOHNST~1\LOCALS~1\Temp\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmR3 - URLSearchHook: (no name) - {4483DF3D-6896-1EE5-BE10-342402D7527C} - C:\WINDOWS\Wadpaphk.dll (file missing)O2 - BHO: (no name) - {65718DEC-27B3-A0B3-3420-A8772CD3BEA9} - C:\WINDOWS\Wadpaphk.dll (file missing)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exeO4 - HKLM\..\Run: [win3208351053236] C:\WINDOWS\win3208351053236.exeO4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM32\nwinpsaw.exe CORN001O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [sP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinpsaw.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Edited January 9, 2006 by Tabbydaze Link to post Share on other sites
Dragon Posted January 10, 2006 Report Share Posted January 10, 2006 ok, first I want to apologize for the belated reply, I had family come in from out of town over the weekend. and to top things off for some reason I didn't recieve my notification that you had responded.second, I merged your two topics together since they are still dealing with the same problem. Please keep your posting to this one thread until we get you cleaned up Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmR3 - URLSearchHook: (no name) - {4483DF3D-6896-1EE5-BE10-342402D7527C} - C:\WINDOWS\Wadpaphk.dll (file missing)O2 - BHO: (no name) - {65718DEC-27B3-A0B3-3420-A8772CD3BEA9} - C:\WINDOWS\Wadpaphk.dll (file missing)O4 - HKLM\..\Run: [Jumbo Updater] C:\WINDOWS\system32\jumb.exeO4 - HKLM\..\Run: [win3208351053236] C:\WINDOWS\win3208351053236.exeO4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYS99.exeO4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinpsaw.exePlease reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold (if found):C:\WINDOWS\Wadpaphk.dllC:\WINDOWS\system32\jumb.exeC:\WINDOWS\win3208351053236.exeC:\WINDOWS\SYS99.exeC:\WINDOWS\SYSTEM32\nwinpsaw.exeReboot your PC. Even though you have antivirus software on your system, it can become corrupted by malware.Please run a free online virus scan here (tick the "Auto Clean" checkbox):http://housecall.antivirus.com/And a free trojan scan here:http://www.moosoft.com/If you would please, reboot and rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. Link to post Share on other sites
Tabbydaze Posted January 11, 2006 Author Report Share Posted January 11, 2006 Het there, thanks for the reply. I'm down at home My tcp/ip is gone, corrupt? Not sure. I'm not even sure about how to go about mending this other than with a clean install. I have gotten diff tech support on this saying 2 diff things. Any ideas? I'm at the library right now and will come back tonight to check this. I really dont want to have to do a clean install yet but if all esle fails i guess i will have to. I'm running e-machine xp home sp2 - i was told by one person to find the file online but after doing a search i found a command to put in but it is not working. Tech support at my internet carrier said to call e-machine folks but cant get help there because there is a charge. If you've any idea's I'd love ya lots if you'd pass em on I'm going to print your last post and go do that stuff. Will be back later today (if you get this in the next 30 min i will still here) Thanks agian LOTS, Tabby Link to post Share on other sites
Dragon Posted January 11, 2006 Report Share Posted January 11, 2006 you said your tcp/IP is corrupted??ok lets get you back on line, I hope you have floppy disk with you because I need you to get a file off the internet and put it on the disk.1.) Download WinsockFix.zip. (by: Option^Explicit)2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)3.) Run WinsockFix.exe.4.) Click the Fix button.This program will clean up your TCP/IP connection and rebuild the database. After the program is complete, reboot and your problems should be resolved. Link to post Share on other sites
Tabbydaze Posted January 11, 2006 Author Report Share Posted January 11, 2006 (edited) Ok IM BACK! Dont ask me how but its online. I seen that winsock thing online (go to comand prompt then type the command "Netsh winsock reset") and tryed that - called a pc tech friend whom argued with me <LOL> over how i got dumped from online then lil here lil there (he had me delete some spyware files)and it seemed to not work after sevral restarts but i restarted right now and was about to reinstall my actiontech gateway box and thought i give it a check to get online and IM HERE! Makes no sense because i tried after doing everything else and it would not go - anyhow so here is the new hijack this log ---- should i go to that link still and do the winsock dl? Thanks agian for your time Logfile of HijackThis v1.99.1Scan saved at 3:57:44 PM, on 1/11/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wpabaln.exeC:\Program Files\HijackThis.exeO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missingO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Edited January 11, 2006 by Tabbydaze Link to post Share on other sites
Tabbydaze Posted January 12, 2006 Author Report Share Posted January 12, 2006 heres this mornings hijack this log. I have a question --- I'm a music freak an not having winmx is a nightmare. I, lonce agian, downloaded limewire lastnight. Is that a terribly bad program? Will it matter if i buy it? Anyhow, wanted to post this new log since i was on lasntight messing around and seems everytime i try to start a program i create trouble. I see this CSRSS.EXE in a-sqaured. This is in the 3rd scan box. I'm trying to avoid re-start because whatever it is comes back on restart - heres the new log -Logfile of HijackThis v1.99.1Scan saved at 8:30:29 AM, on 1/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\WINDOWS\system32\wpabaln.exeC:\WINDOWS\system32\cidaemon.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HijackThis.exeO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missingO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Dragon Posted January 12, 2006 Report Share Posted January 12, 2006 too be honest with you it's a wonder your online. I don't know exactly what your pc tech told you to remove, but he broke an LSP chain that we now have ot fix.please Download WindPFindExtract WinPFind.zip to your c:\ folder. Do Not Run it YetNext,Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of newdotnet3_88.dll. Reboot your computer into Safe ModeThen open c:\WinPFind and double-click on WinPFind.exe.When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic. Link to post Share on other sites
Tabbydaze Posted January 12, 2006 Author Report Share Posted January 12, 2006 (edited) I just wanted to post this before doing anything else because I have been working on my pc all day and i dont see the broken file anymore unless i just missed it somewhere. MY friend did not have me delete that - that being broken is why i called him. Soon after posting here - i got really bad lag one night and went to boot an "Poof" my connection was gone. My friend is the one that helped me somehow, still aint sure how, get back online. I had found a winsock command - not sure that had anything to do with it. Anyhow - adaware,spybot,avg,ewido,& a-sqaured run a clean scan but Truesword pulled alot of stuff. Seems that i run into trouble once i re start.... or after clicked programs open. Let me know if you still need me to do the steps from last post - Thanks SO much for your time! Tabby oh and no sign of the "newdotnet" Logfile of HijackThis v1.99.1Scan saved at 2:20:40 PM, on 1/12/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\wpabaln.exeC:\WINDOWS\system32\cidaemon.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HijackThis.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Edited January 12, 2006 by Tabbydaze Link to post Share on other sites
Dragon Posted January 13, 2006 Report Share Posted January 13, 2006 ok, please do the WinpFind log as requested it sounds like we might be dealing with a hidden malware. you are correct about the newdotnet entry missing. that is odd that it disappeared on it's own.I forgot to mention in my last post after I saw you were using limewire that limewire is clean itself when it comes to the program, however the files you are downloading, sharing, etc are more than likely where you are getting your infections on your computer from. P2P programs open new doors for malware to come into your system no matter how protected it may be. the reason for this is because you are conecting to other home computer systems and those in turn could be infected. when you download a file from there you run a higher risk of downloading malware with it. Link to post Share on other sites
Tabbydaze Posted January 13, 2006 Author Report Share Posted January 13, 2006 »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600Internet Explorer Version: 6.0.2900.2180»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»Checking %SystemDrive% folder...Checking %ProgramFilesDir% folder...UPX! 1/7/2006 4:16:40 PM 218112 C:\Program Files\HijackThis.exeChecking %WinDir% folder...Checking %System% folder...PEC2 8/4/2004 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.mscwinsync 8/4/2004 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deuPECompact2 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exeaspack 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exeUmonitor 8/4/2004 12:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dllaspack 8/4/2004 12:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dllPTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLLUPX! 12/20/2005 5:21:38 AM 481280 C:\WINDOWS\SYSTEM32\aswBoot.exePEC2 2/14/1997 11:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlbChecking %System%\Drivers folder and sub-folders...UPX! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysFSG! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysPEC2 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysaspack 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysItems found in C:\WINDOWS\SYSTEM32\drivers\etc\hostsChecking the Windows folder and sub-folders for system and hidden files within the last 60 days... 1/13/2006 2:18:00 PM S 2048 C:\WINDOWS\bootstat.dat 11/30/2005 8:11:18 PM RH 188448 C:\WINDOWS\HWINFO.DAT 11/30/2005 8:08:28 PM H 6093 C:\WINDOWS\ttfCache 11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\folder.htt 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\WindowsShell.Manifest 12/7/2005 1:34:30 PM HS 5632 C:\WINDOWS\Thumbs.db 11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\SYSTEM\folder.htt 11/30/2005 8:10:14 PM H 271 C:\WINDOWS\SYSTEM\desktop.ini 12/29/2005 10:17:44 AM H 0 C:\WINDOWS\INF\oem3.inf 11/30/2005 8:09:10 PM H 9793 C:\WINDOWS\HELP\windows.GID 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 1/10/2006 7:16:14 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest 1/13/2006 11:26:54 AM H 35864 C:\WINDOWS\SYSTEM32\vsconfig.xml 1/8/2006 10:17:44 AM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat 1/13/2006 2:17:20 PM H 811008 C:\WINDOWS\SYSTEM32\config\system.LOG 1/13/2006 2:17:20 PM H 57344 C:\WINDOWS\SYSTEM32\config\software.LOG 1/13/2006 2:17:20 PM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG 1/10/2006 7:09:10 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG 1/10/2006 7:08:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG 1/13/2006 2:18:08 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG 1/13/2006 2:18:00 PM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG 1/10/2006 7:09:00 PM H 0 C:\WINDOWS\SYSTEM32\config\system.tmp.LOG 1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\software.tmp.LOG 1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\default.tmp.LOG 1/10/2006 7:17:34 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdifr.LOG 1/11/2006 10:38:50 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG 12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini 12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini 12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0HSPUTCX\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1IZQ9UL\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0FAZQ3OR\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIBQ3OT\desktop.ini 12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini 12/1/2005 9:05:22 AM HS 148 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini 12/1/2005 9:05:22 AM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini 12/1/2005 9:05:22 AM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini 12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini 12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini 12/1/2005 9:03:58 AM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini 12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini 12/3/2005 2:13:26 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\89673cc2-441f-46bc-8cbf-b6ac7892b034 12/3/2005 2:13:26 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred 12/1/2005 9:11:34 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\5ced54f3-8eb1-4d1b-ba37-e071fa8d5238 12/1/2005 9:11:34 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred 1/2/2006 4:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat 11/30/2005 9:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat 12/1/2005 5:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat 1/10/2006 7:16:50 PM HS 67 C:\WINDOWS\FONTS\desktop.ini 11/30/2005 8:09:12 PM H 4753 C:\WINDOWS\WEB\wiadev.htt 11/30/2005 8:09:12 PM H 18952 C:\WINDOWS\WEB\wiacam.htt 11/30/2005 8:09:12 PM H 20150 C:\WINDOWS\WEB\wiastream.htt 11/30/2005 8:09:12 PM H 1574 C:\WINDOWS\WEB\wiastyle.css 11/30/2005 8:09:12 PM H 2998 C:\WINDOWS\WEB\PICTURES.ICO 11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\CAMERA.ICO 11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\STREAM.ICO 11/30/2005 8:10:14 PM H 1535 C:\WINDOWS\WEB\webview.css 11/30/2005 8:10:14 PM H 18163 C:\WINDOWS\WEB\controlp.htt 11/30/2005 8:10:14 PM H 4780 C:\WINDOWS\WEB\default.htt 11/30/2005 8:10:14 PM H 3191 C:\WINDOWS\WEB\folder.htt 11/30/2005 8:10:14 PM H 16287 C:\WINDOWS\WEB\nethood.htt 11/30/2005 8:10:14 PM H 11034 C:\WINDOWS\WEB\recycle.htt 11/30/2005 8:10:14 PM H 6391 C:\WINDOWS\WEB\schedule.htt 11/30/2005 8:10:14 PM H 9227 C:\WINDOWS\WEB\dialup.htt 11/30/2005 8:10:14 PM H 1749 C:\WINDOWS\WEB\wvleft.gif 11/30/2005 8:10:14 PM H 90056 C:\WINDOWS\WEB\classic.bmp 11/30/2005 8:10:14 PM H 641 C:\WINDOWS\WEB\classic.htt 11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\folder.bmp 11/30/2005 8:10:14 PM H 1031 C:\WINDOWS\WEB\starter.htt 11/30/2005 8:10:14 PM H 31080 C:\WINDOWS\WEB\starter.bmp 11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\preview.bmp 11/30/2005 8:10:14 PM H 18276 C:\WINDOWS\WEB\imgview.htt 11/30/2005 8:10:14 PM H 830 C:\WINDOWS\WEB\deskmovr.htt 11/30/2005 8:10:14 PM H 20510 C:\WINDOWS\WEB\fsresult.htt 11/30/2005 8:10:14 PM H 29797 C:\WINDOWS\WEB\standard.htt 11/30/2005 8:10:14 PM H 33916 C:\WINDOWS\WEB\webview.js 11/30/2005 8:10:14 PM H 2642 C:\WINDOWS\WEB\exclam.gif 11/30/2005 8:10:14 PM H 80 C:\WINDOWS\WEB\plushot.gif 11/30/2005 8:10:14 PM H 59 C:\WINDOWS\WEB\pluscold.gif 11/30/2005 8:10:14 PM H 77 C:\WINDOWS\WEB\minhot.gif 11/30/2005 8:10:14 PM H 56 C:\WINDOWS\WEB\mincold.gif 11/30/2005 8:10:14 PM H 11870 C:\WINDOWS\WEB\printers.htt 11/30/2005 8:10:14 PM H 25217 C:\WINDOWS\WEB\sysroot.htt 11/30/2005 8:10:16 PM H 2848 C:\WINDOWS\WEB\brfcase.htt 11/30/2005 8:10:16 PM H 11083 C:\WINDOWS\WEB\ftp.htt 12/5/2005 10:39:26 AM HS 96768 C:\WINDOWS\WEB\Wallpaper\Thumbs.db 12/5/2005 10:38:50 AM HS 5632 C:\WINDOWS\WEB\Wallpaper\Hearts In Love\Thumbs.db 12/1/2005 9:04:18 AM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab 12/1/2005 9:04:18 AM RHS 19854 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab 12/1/2005 9:04:18 AM RHS 244933 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab 1/11/2006 3:26:18 PM RHS 11347 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab 1/11/2006 3:27:26 PM RHS 14930 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab 1/13/2006 2:17:16 PM H 6 C:\WINDOWS\TASKS\SA.DAT 1/4/2006 9:13:34 PM HS 568832 C:\WINDOWS\DRM\drmv2.lic 1/4/2006 10:11:44 PM HS 44544 C:\WINDOWS\DRM\drmv2.sst 12/2/2005 2:14:38 PM HS 48 C:\WINDOWS\DRM\v2ks.sec 12/2/2005 2:14:38 PM HS 312 C:\WINDOWS\DRM\v2ks.bla 12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.bak 12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.key 1/10/2006 6:55:06 PM HS 1445888 C:\WINDOWS\DRM\drmstore.hds 1/4/2006 10:17:16 PM HS 51477 C:\WINDOWS\DRM\migration.log 1/4/2006 10:17:18 PM HS 13824 C:\WINDOWS\DRM\drmv2.licIndex 1/4/2006 10:54:04 PM HS 488 C:\WINDOWS\DRM\v2ksndv.bla 1/4/2006 10:54:04 PM HS 313544 C:\WINDOWS\DRM\IndivBox.key 1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini 1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini 1/10/2006 7:17:32 PM H 626688 C:\WINDOWS\repair\ntuser.datChecking for CPL files...Microsoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cplSun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cplAvance Logic, Inc. 7/16/2002 1:08:00 PM 629248 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPLMicrosoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cplMicrosoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cplMicrosoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»Checking files in %ALLUSERSPROFILE%\Startup folder... 1/10/2006 7:17:30 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.iniChecking files in %ALLUSERSPROFILE%\Application Data folder... 1/10/2006 7:10:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.iniChecking files in %USERPROFILE%\Startup folder... 12/1/2005 9:05:22 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.iniChecking files in %USERPROFILE%\Application Data folder... 12/1/2005 8:57:18 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] {FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = %SystemRoot%\system32\SHELL32.dll {53C74826-AB99-4d33-ACA4-3117F51D3788} = %SystemRoot%\system32\SHELL32.dll[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved][HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu {85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu {AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829} = C:\WINDOWS\SYSTEM32\SHELL32.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} = C:\WINDOWS\SYSTEM32\DOCPROP2.DLL[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\Program Files\Spybot - Search & Destroy\SDHelper.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} Google Toolbar Helper = c:\program files\google\googletoolbar1.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} ButtonText = Yahoo! Messenger : C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\servicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolderHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupregHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 0 bootini 0 services 0 startup 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NetworkHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\RatingsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRulesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp NoRealMode 1[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun •[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.Scan completed on 1/13/2006 2:25:39 PM Link to post Share on other sites
Dragon Posted January 13, 2006 Report Share Posted January 13, 2006 well, you definately got something there, so liets get rid of it shall we.First let's show your hidden files and folders,open My Computer, then click on tools and select folder optionsnext click on the view tabscroll down and find show hidden files and folder and click on the radio button next to it.close My Computer.Boot into safe mode start My Computer and then navigate to and delete this file:C:\WINDOWS\SYSTEM32\aswBoot.exefinally;Click Start > Run. Type regeditThen click OK.back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.to do this, click on file and then select Export. Choose a file name you will esily identify and save it to a place you will remember, like your desktop.Next navigate to the key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet Services In the left pane, delete the subkey:"Xuy v palto" Exit the Registry Editor.Reboot your computer to safe mode and get a fresh winpfind log, then post it in this topic. Link to post Share on other sites
Tabbydaze Posted January 13, 2006 Author Report Share Posted January 13, 2006 I didnt find the xuy v palto - there was nothing showing in the pane at all. heres the new scan - WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600Internet Explorer Version: 6.0.2900.2180»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»Checking %SystemDrive% folder...Checking %ProgramFilesDir% folder...UPX! 1/7/2006 4:16:40 PM 218112 C:\Program Files\HijackThis.exeChecking %WinDir% folder...Checking %System% folder...PEC2 8/4/2004 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.mscwinsync 8/4/2004 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deuPECompact2 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exeaspack 1/4/2006 8:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exeUmonitor 8/4/2004 12:00:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dllaspack 8/4/2004 12:00:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dllPTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLLPEC2 2/14/1997 11:24:14 PM 197171 C:\WINDOWS\SYSTEM32\Dwapilib.tlbChecking %System%\Drivers folder and sub-folders...UPX! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysFSG! 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysPEC2 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysaspack 1/11/2006 4:34:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sysItems found in C:\WINDOWS\SYSTEM32\drivers\etc\hostsChecking the Windows folder and sub-folders for system and hidden files within the last 60 days... 1/13/2006 3:33:48 PM S 2048 C:\WINDOWS\bootstat.dat 11/30/2005 8:11:18 PM RH 188448 C:\WINDOWS\HWINFO.DAT 11/30/2005 8:08:28 PM H 6093 C:\WINDOWS\ttfCache 11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\folder.htt 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\WindowsShell.Manifest 12/7/2005 1:34:30 PM HS 5632 C:\WINDOWS\Thumbs.db 11/30/2005 8:10:14 PM H 23155 C:\WINDOWS\SYSTEM\folder.htt 11/30/2005 8:10:14 PM H 271 C:\WINDOWS\SYSTEM\desktop.ini 12/29/2005 10:17:44 AM H 0 C:\WINDOWS\INF\oem3.inf 11/30/2005 8:09:10 PM H 9793 C:\WINDOWS\HELP\windows.GID 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 1/10/2006 7:16:08 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 1/10/2006 7:16:14 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest 1/13/2006 2:29:38 PM H 35864 C:\WINDOWS\SYSTEM32\vsconfig.xml 1/8/2006 10:17:44 AM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat 1/13/2006 3:33:10 PM H 1261568 C:\WINDOWS\SYSTEM32\config\system.LOG 1/13/2006 3:33:10 PM H 696320 C:\WINDOWS\SYSTEM32\config\software.LOG 1/13/2006 3:33:10 PM H 16384 C:\WINDOWS\SYSTEM32\config\default.LOG 1/10/2006 7:09:10 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG 1/10/2006 7:08:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG 1/13/2006 3:33:58 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG 1/13/2006 3:33:48 PM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG 1/10/2006 7:09:00 PM H 0 C:\WINDOWS\SYSTEM32\config\system.tmp.LOG 1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\software.tmp.LOG 1/10/2006 7:09:10 PM H 0 C:\WINDOWS\SYSTEM32\config\default.tmp.LOG 1/10/2006 7:17:34 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdifr.LOG 1/11/2006 10:38:50 PM H 1024 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG 12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini 12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini 12/1/2005 9:11:28 AM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0HSPUTCX\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1IZQ9UL\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0FAZQ3OR\desktop.ini 12/1/2005 9:11:28 AM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PIBQ3OT\desktop.ini 12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini 12/1/2005 9:05:22 AM HS 148 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini 12/1/2005 9:05:22 AM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini 12/1/2005 9:05:22 AM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini 12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini 12/1/2005 9:05:22 AM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini 12/1/2005 9:03:58 AM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini 12/1/2005 8:57:18 AM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini 12/3/2005 2:13:26 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\89673cc2-441f-46bc-8cbf-b6ac7892b034 12/3/2005 2:13:26 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred 12/1/2005 9:11:34 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\5ced54f3-8eb1-4d1b-ba37-e071fa8d5238 12/1/2005 9:11:34 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred 1/2/2006 4:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat 11/30/2005 9:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat 12/1/2005 5:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat 1/10/2006 7:16:50 PM HS 67 C:\WINDOWS\FONTS\desktop.ini 11/30/2005 8:09:12 PM H 4753 C:\WINDOWS\WEB\wiadev.htt 11/30/2005 8:09:12 PM H 18952 C:\WINDOWS\WEB\wiacam.htt 11/30/2005 8:09:12 PM H 20150 C:\WINDOWS\WEB\wiastream.htt 11/30/2005 8:09:12 PM H 1574 C:\WINDOWS\WEB\wiastyle.css 11/30/2005 8:09:12 PM H 2998 C:\WINDOWS\WEB\PICTURES.ICO 11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\CAMERA.ICO 11/30/2005 8:09:12 PM H 10134 C:\WINDOWS\WEB\STREAM.ICO 11/30/2005 8:10:14 PM H 1535 C:\WINDOWS\WEB\webview.css 11/30/2005 8:10:14 PM H 18163 C:\WINDOWS\WEB\controlp.htt 11/30/2005 8:10:14 PM H 4780 C:\WINDOWS\WEB\default.htt 11/30/2005 8:10:14 PM H 3191 C:\WINDOWS\WEB\folder.htt 11/30/2005 8:10:14 PM H 16287 C:\WINDOWS\WEB\nethood.htt 11/30/2005 8:10:14 PM H 11034 C:\WINDOWS\WEB\recycle.htt 11/30/2005 8:10:14 PM H 6391 C:\WINDOWS\WEB\schedule.htt 11/30/2005 8:10:14 PM H 9227 C:\WINDOWS\WEB\dialup.htt 11/30/2005 8:10:14 PM H 1749 C:\WINDOWS\WEB\wvleft.gif 11/30/2005 8:10:14 PM H 90056 C:\WINDOWS\WEB\classic.bmp 11/30/2005 8:10:14 PM H 641 C:\WINDOWS\WEB\classic.htt 11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\folder.bmp 11/30/2005 8:10:14 PM H 1031 C:\WINDOWS\WEB\starter.htt 11/30/2005 8:10:14 PM H 31080 C:\WINDOWS\WEB\starter.bmp 11/30/2005 8:10:14 PM H 18100 C:\WINDOWS\WEB\preview.bmp 11/30/2005 8:10:14 PM H 18276 C:\WINDOWS\WEB\imgview.htt 11/30/2005 8:10:14 PM H 830 C:\WINDOWS\WEB\deskmovr.htt 11/30/2005 8:10:14 PM H 20510 C:\WINDOWS\WEB\fsresult.htt 11/30/2005 8:10:14 PM H 29797 C:\WINDOWS\WEB\standard.htt 11/30/2005 8:10:14 PM H 33916 C:\WINDOWS\WEB\webview.js 11/30/2005 8:10:14 PM H 2642 C:\WINDOWS\WEB\exclam.gif 11/30/2005 8:10:14 PM H 80 C:\WINDOWS\WEB\plushot.gif 11/30/2005 8:10:14 PM H 59 C:\WINDOWS\WEB\pluscold.gif 11/30/2005 8:10:14 PM H 77 C:\WINDOWS\WEB\minhot.gif 11/30/2005 8:10:14 PM H 56 C:\WINDOWS\WEB\mincold.gif 11/30/2005 8:10:14 PM H 11870 C:\WINDOWS\WEB\printers.htt 11/30/2005 8:10:14 PM H 25217 C:\WINDOWS\WEB\sysroot.htt 11/30/2005 8:10:16 PM H 2848 C:\WINDOWS\WEB\brfcase.htt 11/30/2005 8:10:16 PM H 11083 C:\WINDOWS\WEB\ftp.htt 12/5/2005 10:39:26 AM HS 96768 C:\WINDOWS\WEB\Wallpaper\Thumbs.db 12/5/2005 10:38:50 AM HS 5632 C:\WINDOWS\WEB\Wallpaper\Hearts In Love\Thumbs.db 12/1/2005 9:04:18 AM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab 12/1/2005 9:04:18 AM RHS 19854 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab 12/1/2005 9:04:18 AM RHS 244933 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab 1/11/2006 3:26:18 PM RHS 11347 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab 1/11/2006 3:27:26 PM RHS 14930 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab 1/13/2006 3:33:04 PM H 6 C:\WINDOWS\TASKS\SA.DAT 1/4/2006 9:13:34 PM HS 568832 C:\WINDOWS\DRM\drmv2.lic 1/4/2006 10:11:44 PM HS 44544 C:\WINDOWS\DRM\drmv2.sst 12/2/2005 2:14:38 PM HS 48 C:\WINDOWS\DRM\v2ks.sec 12/2/2005 2:14:38 PM HS 312 C:\WINDOWS\DRM\v2ks.bla 12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.bak 12/2/2005 2:14:56 PM HS 4348 C:\WINDOWS\DRM\DRMv1.key 1/10/2006 6:55:06 PM HS 1445888 C:\WINDOWS\DRM\drmstore.hds 1/4/2006 10:17:16 PM HS 51477 C:\WINDOWS\DRM\migration.log 1/4/2006 10:17:18 PM HS 13824 C:\WINDOWS\DRM\drmv2.licIndex 1/4/2006 10:54:04 PM HS 488 C:\WINDOWS\DRM\v2ksndv.bla 1/4/2006 10:54:04 PM HS 313544 C:\WINDOWS\DRM\IndivBox.key 1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini 1/10/2006 7:16:14 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini 1/10/2006 7:17:32 PM H 626688 C:\WINDOWS\repair\ntuser.datChecking for CPL files...Microsoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cplSun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cplAvance Logic, Inc. 7/16/2002 1:08:00 PM 629248 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPLMicrosoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cplMicrosoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cplMicrosoft Corporation 8/4/2004 12:00:00 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cplMicrosoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»Checking files in %ALLUSERSPROFILE%\Startup folder... 1/10/2006 7:17:30 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.iniChecking files in %ALLUSERSPROFILE%\Application Data folder... 1/10/2006 7:10:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.iniChecking files in %USERPROFILE%\Startup folder... 12/1/2005 9:05:22 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.iniChecking files in %USERPROFILE%\Application Data folder... 12/1/2005 8:57:18 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] {FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = %SystemRoot%\system32\SHELL32.dll {53C74826-AB99-4d33-ACA4-3117F51D3788} = %SystemRoot%\system32\SHELL32.dll[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved][HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu {85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dllHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu {AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829} = C:\WINDOWS\SYSTEM32\SHELL32.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1} = C:\WINDOWS\SYSTEM32\DOCPROP2.DLL[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\Program Files\Spybot - Search & Destroy\SDHelper.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7} Google Toolbar Helper = c:\program files\google\googletoolbar1.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tip of the Day = %SystemRoot%\system32\shdocvw.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} ButtonText = Yahoo! Messenger : C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\servicesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolderHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupregHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state system.ini 0 win.ini 0 bootini 0 services 0 startup 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NetworkHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\RatingsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRulesHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp NoRealMode 1[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun •[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dllHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.Scan completed on 1/13/2006 3:57:21 PM Link to post Share on other sites
Tabbydaze Posted January 14, 2006 Author Report Share Posted January 14, 2006 (edited) i just did a few scans, adaware, and avg have clean scans. True sword found these to fix (past scans showed LOTS to fix so things are looking better huh? ) Known malicious programHere is its description:Malicious component or program is found in processes: ALG.EXE. Added by the DEMOTRY-B WORM!Known malicious programHere is its description:Malicious component is found in files winamp.exe. "Added by a variant of the RBOT WORM! Note - this is NOT the popular Winamp media player which has the filename ""winampa.exe"""Known malicious programHere is its description:Malicious component is found in files winampa.exe. Added by the LOONY-I TROJAN! Note - this is NOT the popular Winamp media player which has the same filenameI did notice that "winampa" in my files the other day - I use winamp daily and was wondering what teh hell that was. Think that accounts for anything or is that just "simple" spyware? Edited January 14, 2006 by Tabbydaze Link to post Share on other sites
Dragon Posted January 14, 2006 Report Share Posted January 14, 2006 please post a fresh Hijack this log so I can look it over. I have never heard of Truesword before so this could be whats called a "false positive". I'll have the next, and hopefully, final step for you after you respond. Link to post Share on other sites
Tabbydaze Posted January 15, 2006 Author Report Share Posted January 15, 2006 Logfile of HijackThis v1.99.1Scan saved at 9:39:55 PM, on 1/14/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HijackThis.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Dragon Posted January 15, 2006 Report Share Posted January 15, 2006 it appears that you did this scan in safe mode, could you please do a scan in normal mode and post it.thanks Link to post Share on other sites
Tabbydaze Posted January 15, 2006 Author Report Share Posted January 15, 2006 Weird, i had just walked in the door and turned my pc on to check for replies here & seen you wanted the log so there it is - not in safe mode. Is that common? here it is agian - Logfile of HijackThis v1.99.1Scan saved at 8:37:14 AM, on 1/15/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HijackThis.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Dragon Posted January 16, 2006 Report Share Posted January 16, 2006 this is odd, it appears as though you are missing programs that you had on there before. are all your programs working ok??I also did some research on that True Sword. I recommend you reinstate all the "Quarantined" files it has collected. I also advise that you uninstall it and not use it anymore. more information can be obtained at Spyware warriors: Rogue/Suspect listTrue Swordsecuritystronghold.com ridiculous false positives work as goad to purchase [A: 1-3-06 / U: 1-3-06] and from the looks of it, this program was just added January 3, 2006. This may be the cause of your hijack this log looking like it was ran from safe mode. Link to post Share on other sites
Tabbydaze Posted January 18, 2006 Author Report Share Posted January 18, 2006 I :think" things are working ok - I havent had any tiem with the pc in days tho. I uninstalled that truesword -here is a hijackthis log. Logfile of HijackThis v1.99.1Scan saved at 8:33:42 AM, on 1/18/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\cidaemon.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\HijackThis.exeO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135876581671O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37510.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe Link to post Share on other sites
Dragon Posted January 18, 2006 Report Share Posted January 18, 2006 well, you now have a new infection listed.Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exeafter that is done reboot to safe mode then find the following files and delete them if found:C:\Program Files\MediaGatewayC:\Program Files\180solutionsreboot to normal mode and post a fresh hijack this log. Link to post Share on other sites
Recommended Posts