# AIM Virus



## Moocat (Sep 12, 2005)

very angry... i had the same virus given thru aim and it installed a ie search bar, and some other junk which i deleted a few days ago, and i have one day of calm until it all came back yesterday. Nortan has told me i have trojans, it says it detects them running and deleted them, but it happens over and over, so i think i have a trojan downloader or something? also, getting CONSTANT popups for registry cleaner and winfixer. the first time i used killbox to delete pokapoka65.exe and pokapoka66.exe, but they came back according to hijackthis. i also ran ewido in safe mode with system restore off, and then ran cleanup! if anyone can tell me what i still have left to do to save me computer, i would be very appreciative! here's my log :

Logfile of HijackThis v1.99.1
Scan saved at 2:15:57 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\NI.UWFX5\setup.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm889.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [udzskj] C:\WINDOWS\system32\xpnaiyy.exe r
O4 - HKLM\..\RunServices: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0012.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: repairs.dll,MsgPlusLoader.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dwsetup.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

____________________________________________

thanks, any help someone can give would be awesome!


----------



## dvk01 (Dec 14, 2002)

moocat

i've split you off into your own thread as it's impossible to deal with 2 people on one thread

start off with

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install *vx2cleaner_inst.exe*, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on *Add-ons* in the lefthand column. Select *VX2 Cleaner V2.0* and click *Run Tool*. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the *Start* button in Ad-Aware, select "Perform smart system scan" and click *Next*. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido. 
When installing, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click *OK*. We will fix this in a moment.
From the main ewido screen, click on *update* in the left menu, then click the *Start update* button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the *Scanner* button in the left menu, then click on *Complete System Scan*. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.


----------



## Moocat (Sep 12, 2005)

awesome thanks for the help, i'm about to go off to class, though, so when i get back to my dorm i'll do as you have said  sorry if i posted that in the wrong thread, most forums i'm used to solving one problem in one thread, but i guess web design and viruses are two different games, huh... thanks alot, i'll get on it in about 1 hr 40 minutes.


----------



## Moocat (Sep 12, 2005)

got back from class about 4 hours ago, and finished all those scans just now. heres the ewido log: 
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:00:31 PM, 9/12/2005
+ Report-Checksum: 4ED08959

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
[632] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[680] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[692] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[864] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1000] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[1480] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[240] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[260] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[364] C:\WINDOWS\System32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2168] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2536] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2564] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2668] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2112] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2840] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2956] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2972] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3044] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3224] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3220] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3284] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3324] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[216] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3500] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3520] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[2044] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3600] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3740] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
[3792] C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\!Submit\pokapoka66.exe -> TrojanDownloader.Agent.tv : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Hotlog : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D6SD620R\WinFixer2005ScannerInstall[1].cab/UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\system32\Poller.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\repairs.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\w031319.Stub.exe -> TrojanDownloader.Delmed.a : Cleaned with backup

::Report End
---------------------------------------------------

and the HjT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:48 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm889.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0012.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: repairs.dll,MsgPlusLoader.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dwsetup.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

----------------------------------------------------------

edit: right after posting these logs, i got a popup from surf sidekick. :\ however it looks like it got that VX2 thing, whatever that is


----------



## dvk01 (Dec 14, 2002)

next uninstall surfsidekick froim add/remove programs in control panel

then

Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick *ClickThis.bat*
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

then post a fresh hjt LOG


----------



## Moocat (Sep 12, 2005)

okay i uninstalled surf sidekick, but right below it is a program called "the best deals" with the symbol i see next to at least half of the popups, and when i tell it to remove this program, it opens an ad in IE, and no uninstall procedure is taken.


----------



## Moocat (Sep 12, 2005)

ok just finished the restart after running clickthis.bat. surf sidekick is _not_ in add/remove (yay!), but "the best deals" still is. here's my log :

Logfile of HijackThis v1.99.1
Scan saved at 9:52:30 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm889.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0012.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dwsetup.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


----------



## dvk01 (Dec 14, 2002)

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - Default URLSearchHook is missing

O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsm889.dll (file missing)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft System DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft System DLL Services Configuration] windir32.exe

O4 - HKCU\..\Run: [Microsoft System DLL Services Configuration] windir32.exe

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0012.exe

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\dwsetup.dll (file missing)

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

C:\WINDOWS\system32\windir32.exe
C:\WINDOWS\system32\dwsetup.dll

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then reboot & post a fresh HJT log

also do this please

download pflist.bat to your desktop from www.thespykiller.co.uk/files/pflist.bat

double click it and it will make a list of ALL files in program files so we can plough through them and spot the dodgy ones, hopefully

it will only pop up for a quick flash

now go to c:\ and look for pflist.txt
and uplaod that here please


----------



## dvk01 (Dec 14, 2002)

It's also possible that you have the remnants of a VX2/L2m hijack so also do this please

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


----------



## Moocat (Sep 12, 2005)

alright, starting to do all that now


----------



## Moocat (Sep 12, 2005)

done with everything from that first post: killbox could NOT find either of those two items.

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:59:16 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
-------------------------------------
Pflist:
all files and folders in C:\program files
Volume in drive C has no label.
Volume Serial Number is 8454-605C

Directory of C:\Program Files

09/13/2005 09:41 AM .
09/13/2005 09:41 AM ..
09/09/2005 10:04 PM a2 Free
07/07/2005 03:57 PM Adobe
09/08/2005 12:32 PM ahead
09/10/2005 02:11 PM AIM
06/19/2005 02:02 PM Alcohol Soft
10/30/2004 03:15 PM Alwil Software
06/19/2005 03:27 PM ANI
09/10/2005 02:11 PM AOD
06/19/2005 02:29 PM AOL
06/28/2005 07:55 PM ArtMoney
12/31/2004 12:12 AM ATI Technologies
06/23/2004 08:58 PM AWS
07/17/2005 12:32 AM Azureus
01/02/2005 12:47 AM BitTornado
06/15/2005 10:59 PM Cakewalk
09/11/2005 04:13 PM Cas
09/11/2005 10:12 PM CasStub
09/09/2005 09:15 PM CleanUp!
09/11/2005 10:41 PM Common Files
08/02/2003 08:02 AM ComPlus Applications
06/15/2005 10:08 PM Creative
05/01/2005 07:59 PM D-Link
06/07/2005 04:25 PM DAP
09/09/2005 03:02 PM DAZ
08/08/2004 06:20 PM Deus Ex - Invisible War
08/03/2003 03:17 PM directx
01/31/2004 03:03 AM DivX
06/24/2005 09:27 PM Doom 3
06/12/2004 10:20 PM e-Games
09/26/2003 09:35 PM Eidos Interactive
09/12/2005 10:09 AM eMule
09/09/2005 05:13 PM ewido
06/07/2005 02:21 AM Executive Software
08/28/2005 09:19 PM FlashFXP
08/12/2003 05:00 PM Fox
09/12/2005 10:11 PM GetRight
04/15/2005 06:17 PM GoldWave
08/29/2005 07:33 AM Google
07/04/2005 03:13 PM Grisoft
08/20/2005 05:35 PM HLSW
06/07/2005 01:43 AM HSHelper
08/03/2003 01:37 AM 808 INSTALL.LOG
08/03/2003 05:33 PM InterAdventure
08/14/2005 03:01 AM Internet Explorer
08/31/2005 10:03 PM Java
08/30/2003 07:04 PM Kaspersky Lab
07/06/2004 10:24 PM Kazaa Lite Resurrection
06/07/2005 01:50 AM KnightOnline
09/07/2005 12:04 AM Lavasoft
08/29/2005 09:13 PM LimeWire
02/05/2005 04:55 PM Line6
04/16/2005 06:50 PM Lineage2
08/21/2003 08:20 PM Linksys
05/15/2004 05:02 PM Logitech
08/03/2005 08:37 AM LucasArts
04/07/2004 02:40 PM Macro Express3
01/02/2005 01:05 AM Macromedia
08/01/2005 05:01 PM MagicISO
08/03/2003 09:56 PM Max Payne
08/30/2003 07:24 PM McAfee
08/29/2005 11:47 AM Messenger
08/29/2005 11:16 AM MessengerPlus! 3
07/17/2005 09:59 AM Microsoft ActiveSync
08/06/2003 05:26 PM microsoft frontpage
06/09/2005 12:00 PM Microsoft Games
07/17/2005 09:58 AM Microsoft Office
08/06/2003 05:28 PM Microsoft Visual Studio
07/17/2005 09:57 AM Microsoft.NET
09/02/2005 10:08 AM mIRC
09/26/2004 11:39 AM Movie Maker
09/09/2005 09:24 PM Mozilla Firefox
01/23/2005 12:24 AM MP3 WAV Converter
08/24/2005 10:51 PM Mplayer
08/02/2003 08:02 AM MSN
08/02/2003 08:02 AM MSN Gaming Zone
08/29/2005 11:47 AM MSN Messenger
05/07/2005 06:52 PM NapMX
06/08/2005 03:18 AM NetMeeting
07/27/2005 04:39 PM Nexon
08/19/2005 04:40 PM Norton Anti Virus
07/17/2005 12:24 PM OfficeUpdate11
08/02/2003 08:04 AM Online Services
09/26/2004 11:36 AM Outlook Express
11/24/2004 04:18 PM Perfect Screens
07/12/2004 08:28 PM Psygnosis
08/25/2005 02:40 PM Quake III Arena
09/09/2005 11:47 AM QuickPar
07/11/2004 04:22 PM QuickTime
12/24/2003 01:31 PM RamBooster
05/15/2004 05:03 PM Real
05/15/2004 05:02 PM Reality Fusion
09/09/2005 04:54 PM RegClean32
07/18/2005 08:21 AM Rockstar Games
08/12/2004 05:12 PM SlySoft
05/06/2005 11:11 PM SmartFTP
05/06/2005 11:11 PM SmartFTP Setup Files
08/29/2004 03:22 PM softnyx
08/24/2004 05:17 PM Soldier of Fortune II - Double Helix
07/28/2005 12:17 AM Source Viewer
04/15/2005 06:07 PM Spybot - Search & Destroy
06/07/2005 02:45 AM Spyware Doctor
08/10/2005 12:38 AM SpywareBlaster
08/19/2005 04:42 PM Symantec
09/13/2005 10:56 AM Symantec AntiVirus
07/20/2004 08:34 AM Teamspeak2_RC2
08/25/2003 12:48 AM The All-Seeing Eye
07/16/2005 08:33 PM TrueDownloader
07/10/2004 07:31 PM Ubi Soft
08/03/2003 03:24 PM UT2003HQ 71 Maps - Map Pack
08/03/2003 03:27 PM UT2003HQ 77 Maps - Map Pack 2
08/20/2005 06:29 PM Valve
08/14/2005 10:42 AM Ventrilo
01/22/2005 10:28 PM Viewpoint
12/29/2003 08:56 PM Vivendi Universal Games
06/09/2005 02:21 PM Warcraft III
01/30/2005 01:16 PM Webroot
08/30/2004 08:08 PM Webzen
09/01/2005 08:41 AM Winamp
05/20/2005 06:36 PM Windows Media Player
09/26/2004 11:36 AM Windows NT
09/12/2005 08:18 PM WinFixer 2005
09/11/2005 11:06 PM WinMX
06/15/2004 06:32 PM WinRAR
08/03/2003 02:04 PM WinZip
08/02/2003 08:05 AM xerox
12/26/2004 02:39 PM Zone Labs
09/08/2005 12:07 PM ZTekWare
1 File(s) 808 bytes
128 Dir(s) 48,107,380,736 bytes free
----------------------------------


----------



## Moocat (Sep 12, 2005)

it wouldn't let me post this in my last post so i had to split it.

Stuff from your second post: 
I ran l2mfix.bat after installing, and i got this error: (NOTE: i'm using windows xp, could this have anything to do with the error?)
Title: 16 bit MS-DOS subsystem
Text: c:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application
options: "close" / "ignore"

I pressed "Ignore" and got this for my log:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E71D5D32-2C98-FB68-14E6-0116B0DD8B55}"=""
"acc=jocker"=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{73052ECC-0FFB-4949-BA30-C18583CF6702}"=""
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}"="Universal Plug and Play Devices"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{950FF917-7A57-46BC-8017-59D9BF474000}"="Shell Extension for CDRW"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{73052ECC-0FFB-4949-BA30-C18583CF6702}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73052ECC-0FFB-4949-BA30-C18583CF6702}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73052ECC-0FFB-4949-BA30-C18583CF6702}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73052ECC-0FFB-4949-BA30-C18583CF6702}\InprocServer32]
@="C:\\WINDOWS\\system32\\dwsetup.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 8454-605C

Directory of C:\WINDOWS\System32

09/10/2005 01:45 PM dllcache
01/15/2004 03:14 PM 233,472 REX Shared Library.dll
08/21/2003 08:20 PM Microsoft
1 File(s) 233,472 bytes
2 Dir(s) 48,105,840,640 bytes free
-----------------------------------------------
5 minutes after i posted this i got another popup.


----------



## Moocat (Sep 12, 2005)

any ideas?


----------



## dvk01 (Dec 14, 2002)

L2M looks clear

for the NT error message do this

If you get an error similar to:
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc'
Go here and use the appropriate fix for your system
http://www.tech-forums.net/computer/topic/29806.html

but while you are using half a dozen different P2P programs you are wide open to attacks

are you still having any mopre problems or pop ups or whatever


----------



## Moocat (Sep 12, 2005)

I actually don't run p2p programs except for eMule on my computer anymore, i just haven't uninstalled them yet. i run azureus for BT tho. is it really the easy to attack someone running a p2p client?
yes i'm still getting popups, but far fewer than before. There is still an entry in my add/remove program list called "The best offers" and the logo next to that item is the logo that comes up in my popups. when i hit remove it gives me a popup but does not uninstall. :\ 
thanks for all the help so far, it's worked great, gotten all those narsty viruses off, just one adware left (as far as i can see). does the HJT log look clean?


----------



## dvk01 (Dec 14, 2002)

OK the log looks clean but it's obvious you aren't

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so we can work out the way to delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## Moocat (Sep 12, 2005)

okay ran activescan and HJT again, here are logs: 
Logfile of HijackThis v1.99.1
Scan saved at 3:58:10 PM, on 9/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

_________________________________

ActiveScan:

Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll 
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe 
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini 
Adware:Adware/Aurora No disinfected C:\WINDOWS\ypixqw.exe

it apparently couldn't clean/delete anything... :\


----------



## dvk01 (Dec 14, 2002)

uninstall winfixer2005

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
C:\Program Files\Cas\Client\Uninstall.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\ypixqw.exe

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

*delete these folders *

C:\Program Files\Cas
C:\Program Files\CasStub
C:\Program Files\WinFixer 2005

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then reboot & tell us how it is


----------



## Moocat (Sep 12, 2005)

okay, i have done as you said and rebooted, going to do another activescan now  but so far, no popups, which is wonderful


----------



## Moocat (Sep 12, 2005)

nevermind, i spoke too soon, i just got two popups for WinAntiVirus Pro 2006 as soon as i opened the activescan window


----------



## dvk01 (Dec 14, 2002)

OK

Please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log. Make sure that log is saved!

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Then please download DLLCompare from here:
http://downloads.subratam.org/DllCompare.exe
Save it to the desktop and run it. Click "Run Locate.com" to scan for DLL files. When the scan is finished, click "Compare". Finally, when that is complete, click "Make a Log of What Was Found". Please post the entire contents of the logfile here for me.

Post a new HiJackThis log as well (so your next post should consist of 3 logs!)

then

download & run http://www.silentrunners.org/Silent Runners.vbs

save it to desktop & run it from there (double click on it to run) follow all it's prompts and it will make a file called startup programs , copy the contents of that list back here
then


Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Download *Track qoo*
Save it somewhere you will remember like the *Desktop*


Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!


Reboot back to Normal Mode!

Double Click on "*Track qoo.vbs*"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and paste them in your next post along with the results of WinPFind!

somewhere amongst that lot we should find the pest causing it


----------



## Moocat (Sep 12, 2005)

okay sorry it took so long to reply, but i've been getting more problems recently with web browsing. EDIT: deleted the problem, it's happening on my laptop AND my roomate's computer so i assume that its not restricted to my computer, but a fault with the network. speaking of which my internet went down just as i hit the post button so i had time to type this message while it came back up.


----------



## Moocat (Sep 12, 2005)

ok i did the scan but after i restarted in normal mode, all my desktop icons got rearranged!!! anyway here's the log: 
C:\Documents and Settings\Owner\Desktop 

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\system32\lame_enc.dll: UPX!
C:\WINDOWS\system32\locate.com: WAUPX!
C:\WINDOWS\system32\DivXdec.ax: FSg!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\sciyboparnp.exe: UPX!
Finished
bye


moving on to the next step. here's the locate.com log

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\rexsha~1.dll Thu Jan 15 2004 3:14:38p A.S.. 233,472 228.00 K
________________________________________________

1,397 items found: 1,397 files (1 H/S), 0 directories.
Total of file sizes: 299,172,676 bytes 285.31 M

Administrator Account = True

AppInit_DLLs value = MsgPlusLoader.dll (not hidden)
--------------------End log---------------------


----------



## Moocat (Sep 12, 2005)

locate.com log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\rexsha~1.dll Thu Jan 15 2004 3:14:38p A.S.. 233,472 228.00 K
________________________________________________

1,397 items found: 1,397 files (1 H/S), 0 directories.
Total of file sizes: 299,172,676 bytes 285.31 M

Administrator Account = True

AppInit_DLLs value = MsgPlusLoader.dll (not hidden)
--------------------End log---------------------

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:38:00 PM, on 9/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Documents and Settings\Owner\Desktop\Firefox CE\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


----------



## Moocat (Sep 12, 2005)

three more logs
silentrunners:
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RamBooster" = "C:\Program Files\RamBooster\Rambooster.exe" [null data]
"RemoteCenter" = "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" ["Creative Technology Ltd."]
"Steam" = ""c:\program files\valve\steam\steam.exe" -silent" ["Valve Corporation"]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [null data]
"AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTSysVol" = "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" ["Creative Technology Ltd"]
"CTDVDDet" = "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" ["Creative Technology Ltd"]
"SBDrvDet" = "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"HTpatch" = "C:\WINDOWS\htpatch.exe" [null data]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"D-Link AirPlus XtremeG" = "C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" ["D-Link"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "bho2gr Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{516E2306-7ADF-47EC-AEA8-ACB6B51899F1}\(Default) = "Watch for Browser Events" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MACROE~1\iCapture.dll" ["Insight Software Solutions, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = "FlashFXP Helper for Internet Explorer" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{73052ECC-0FFB-4949-BA30-C18583CF6702}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dwsetup.dll" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
gggyfggg\(Default) = "{0315518b-0a8d-4871-a0ba-f43862be7ec4}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\rrrku.dll" [file not found]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" ["Headlight Software, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 177 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 277 seconds)


----------



## Moocat (Sep 12, 2005)

winPfind:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 9/15/2005 9:03:46 PM 741 C:\log.txt
FSG! 9/15/2005 9:03:46 PM 741 C:\log.txt
PEC2 9/15/2005 9:03:46 PM 741 C:\log.txt
UPX! 9/15/2005 9:02:02 PM 226 C:\win.txt
FSG! 9/15/2005 9:02:02 PM 226 C:\win.txt
PEC2 9/15/2005 9:02:02 PM 226 C:\win.txt
UPX! 9/15/2005 9:02:34 PM 34 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
abetterinternet.com 7/4/2005 3:37:26 PM 11014 C:\WINDOWS\aaanj.dll
web-nex 7/4/2005 3:37:26 PM 11014 C:\WINDOWS\aaanj.dll
ad-w-a-r-e.com 7/4/2005 3:37:26 PM 11014 C:\WINDOWS\aaanj.dll
UPX! 7/8/2002 11:33:24 PM 84480 C:\WINDOWS\sciyboparnp.exe

Checking %System% folder...
PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 12/10/2003 4:36:10 PM 238080 C:\WINDOWS\SYSTEM32\DivXdec.ax
UPX! 7/29/2004 2:19:46 AM 175104 C:\WINDOWS\SYSTEM32\lame_enc.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
PECompact2 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/15/2005 10:15:12 PM S 2048 C:\WINDOWS\bootstat.dat
9/15/2005 10:12:18 PM H 57 C:\WINDOWS\pzcsZ
9/15/2005 2:53:18 PM H 54156 C:\WINDOWS\QTFont.qfn
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
9/15/2005 10:15:02 PM H 8192 C:\WINDOWS\system32\config\default.LOG
9/15/2005 10:15:28 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/15/2005 10:15:14 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
9/15/2005 10:15:32 PM H 77824 C:\WINDOWS\system32\config\software.LOG
9/15/2005 10:15:20 PM H 1310720 C:\WINDOWS\system32\config\system.LOG
9/15/2005 3:03:08 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG
9/15/2005 10:12:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 1:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Line 6 6/26/2003 11:41:40 AM 65536 C:\WINDOWS\SYSTEM32\l6gpcpl.cpl
Line 6 12/14/2004 2:10:58 PM 61440 C:\WINDOWS\SYSTEM32\l6plvcpl.cpl
Line 6 10/5/2004 8:58:10 PM 65536 C:\WINDOWS\SYSTEM32\l6pxtcpl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation  8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2003 11:16:20 AM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/2/2003 8:05:20 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/16/2005 8:37:02 PM 694 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/2/2003 2:44:44 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/2/2003 8:05:20 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/2/2003 2:44:44 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
9/13/2005 9:41:34 AM 37 C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
= 
acc=jocker =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{73052ECC-0FFB-4949-BA30-C18583CF6702} = C:\WINDOWS\system32\dwsetup.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gggyfggg
{0315518b-0a8d-4871-a0ba-f43862be7ec4} = C:\WINDOWS\system32\rrrku.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}
bho2gr Class = C:\Program Files\GetRight\xx2gr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{516E2306-7ADF-47EC-AEA8-ACB6B51899F1}
Watch for Browser Events = C:\PROGRA~1\MACROE~1\iCapture.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}
FlashFXP Helper for Internet Explorer = C:\PROGRA~1\FlashFXP\IEFlash.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google	: c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM	: C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google	: c:\program files\google\googletoolbar1.dll
{5F1ABCDB-A875-46C1-8345-B72A4567E486} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google	: c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTSysVol	C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
CTDVDDet	C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
SBDrvDet	C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
UpdReg	C:\WINDOWS\UpdReg.EXE
HTpatch	C:\WINDOWS\htpatch.exe
CTHelper	CTHELPER.EXE
Cmaudio	RunDll32 cmicnfg.cpl,CMICtrlWnd
D-Link AirPlus XtremeG	C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
ATIPTA	C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ccApp	"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray	C:\PROGRA~1\SYMANT~1\VPTray.exe
MessengerPlus3	"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NeroFilterCheck	C:\WINDOWS\system32\NeroCheck.exe
InCD	C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RamBooster	C:\Program Files\RamBooster\Rambooster.exe
RemoteCenter	C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
Steam	"c:\program files\valve\steam\steam.exe" -silent
MSMSGS	"C:\Program Files\Messenger\msmsgs.exe" /background
msnmsgr	"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
PhotoShow Deluxe Media Manager	C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
AIM	C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs	MsgPlusLoader.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/15/2005 10:31:13 PM

track qoo:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"CTHelper"="CTHELPER.EXE"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"D-Link AirPlus XtremeG"="C:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- gggyfggg
{0315518b-0a8d-4871-a0ba-f43862be7ec4}
C:\WINDOWS\system32\rrrku.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB}
C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
GetRight - Tray Icon.lnk
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk
desktop.ini
GetRight - Tray Icon.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
AudioHQU.cpl Creative Technology Ltd.
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
l6gpcpl.cpl Line 6
l6plvcpl.cpl Line 6
l6pxtcpl.cpl Line 6
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation


----------



## dvk01 (Dec 14, 2002)

Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

C:\Documents and Settings\Owner\Application Data\Sskuknwrd.dll
C:\WINDOWS\aaanj.dll
C:\WINDOWS\sciyboparnp.exe
C:\WINDOWS\system32\rrrku.dll
C:\WINDOWS\system32\dwsetup.dll

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

let us know how it is then


----------



## Moocat (Sep 12, 2005)

C:\WINDOWS\system32\rrrku.dll
C:\WINDOWS\system32\dwsetup.dll

those two could not be found by killbox, and i couldn't find them by browsing. hide extensions is off, hide system files is off, and show hidden folders/files is on.


----------



## dvk01 (Dec 14, 2002)

don't worry

i would have expected your antivirus to hget those 2 anyway and they were only registry references left over 

how is it running


----------



## Moocat (Sep 12, 2005)

my bad, i forgot to tell you i was going away for a weekend because its my birthday  

in the time i used that computer between when i fixed it and when i left, it was actually running perfectly. i really appreciate your help  i'll test it a little more extensively on monday!


----------



## dvk01 (Dec 14, 2002)

Have a nice Birthday and a good weekend and let us know how it is when you come back


----------



## Moocat (Sep 12, 2005)

thank you 
i am back, and i'm still getting this one popup:

">Spyware may be damaging your computer

>If you are experiencing unwanted POPUP ads, slow computer speeds, or even computer crashes, your computer may be infected with spyware.

>Click 'OK' to scan your computer, NOW."

yeah so i have spyware that comes right out and announces that i have spyware, cool isn't it. i'm not sure where to start to show you where it is or how to fix it, so i'll just do a HJT log, there may still be something in there... 

Logfile of HijackThis v1.99.1
Scan saved at 10:58:18 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Firefox CE\firefox.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


----------



## dvk01 (Dec 14, 2002)

download log2.bat to your desktop from www.thespykiller.co.uk/files/log2.bat

double click it and it will make a list of ALL files and folders in both C:\windows & c:\windows\system32 and a list of all folders in C:\program files so we can plough through them and spot anything dodgy, hopefully

it will only pop up for a quick flash

now go to c:\ and look for log2.txt

It will be too big to upload here so go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload there
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the file on your computer, when the file is listed in the windows press send to upload the files


----------



## Moocat (Sep 12, 2005)

uploaded
http://www.thespykiller.co.uk/forum/index.php?topic=723.0


----------



## dvk01 (Dec 14, 2002)

I've found some suspicious files that I would lime to look at please

download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & 
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?topic=723.0 so we can examine the files just press reply on that thread and attach the zip file that SFP makes

C:\WINDOWS\system32\ btnetw3-995329.exe
C:\WINDOWS\system32\dzcore.dll
C:\WINDOWS\system32\dzcore.pdb
C:\WINDOWS\system32\dzwrapper.dll
C:\WINDOWS\system32\dzwrapper.pdb
C:\WINDOWS\system32\jspkodak.dll
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\sav2.exe
C:\WINDOWS\system32\settings.sfm
C:\WINDOWS\system32\settingsbkup.sfm
C:\WINDOWS\EBEFGGGJ.ini
C:\WINDOWS\system32\cache32dsrf4535dfs\*.*


----------



## Moocat (Sep 12, 2005)

uploaded to the address specified


----------



## dvk01 (Dec 14, 2002)

all these are OK and are part of DAZ DV http://www.daz3d.com/

C:\WINDOWS\system32\dzcore.dll
C:\WINDOWS\system32\dzcore.pdb
C:\WINDOWS\system32\dzwrapper.dll
C:\WINDOWS\system32\dzwrapper.pdb

C:\WINDOWS\system32\settings.sfm
C:\WINDOWS\system32\settingsbkup.sfm are both soundcard settings so ok

these 4 are suspicious so are beeing looked at further 
C:\WINDOWS\system32\jspkodak.dll
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\sav2.exe
C:\WINDOWS\EBEFGGGJ.ini

this folder is part of surfsidekick adware so can be deleted 
C:\WINDOWS\system32\cache32dsrf4535dfs

and this one didn't get uploaded can you try and do it on it's own please
C:\WINDOWS\system32\btnetw3-995329.exe


----------



## Moocat (Sep 12, 2005)

ok deleted surf sidekick folder, and i uploaded the (just got a registry cleaner popup!) .cab file for bnetw3- etc .exe file


----------



## dvk01 (Dec 14, 2002)

this one is toolbar hotsearch installer so delete it 

C:\WINDOWS\system32\btnetw3-995329.exe


----------



## Moocat (Sep 12, 2005)

ok all done, haven't seen any popups or other bothersome occurrences, i'll post when/if i do  tyvm ;D


----------



## Moocat (Sep 12, 2005)

just got that spyware may be damaging your computer popup _again_... along with one other popup for restockit.com


----------



## dvk01 (Dec 14, 2002)

I am pretty sure it must be one of these files causding the problems so delete them anyway 
C:\WINDOWS\system32\jspkodak.dll
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\sav2.exe
C:\WINDOWS\EBEFGGGJ.ini


----------



## dvk01 (Dec 14, 2002)

and please give me a new silent runners log and a new wpfind log


----------



## Moocat (Sep 12, 2005)

jspkodak.dll could not be deleted.
Silent runners
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RamBooster" = "C:\Program Files\RamBooster\Rambooster.exe" [null data]
"RemoteCenter" = "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" ["Creative Technology Ltd."]
"Steam" = ""c:\program files\valve\steam\steam.exe" -silent" ["Valve Corporation"]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [null data]
"AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"msnmsgr" = ""C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTSysVol" = "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" ["Creative Technology Ltd"]
"CTDVDDet" = "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" ["Creative Technology Ltd"]
"SBDrvDet" = "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"HTpatch" = "C:\WINDOWS\htpatch.exe" [null data]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"D-Link AirPlus XtremeG" = "C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" ["D-Link"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"MessengerPlus3" = ""C:\Program Files\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "bho2gr Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{516E2306-7ADF-47EC-AEA8-ACB6B51899F1}\(Default) = "Watch for Browser Events" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MACROE~1\iCapture.dll" ["Insight Software Solutions, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = "FlashFXP Helper for Internet Explorer" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{73052ECC-0FFB-4949-BA30-C18583CF6702}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dwsetup.dll" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
gggyfggg\(Default) = "{0315518b-0a8d-4871-a0ba-f43862be7ec4}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\rrrku.dll" [file not found]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" ["Headlight Software, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 65 seconds, including 6 seconds for message boxes)


----------



## Moocat (Sep 12, 2005)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 9/15/2005 9:03:46 PM 741 C:\log.txt
FSG! 9/15/2005 9:03:46 PM 741 C:\log.txt
PEC2 9/15/2005 9:03:46 PM 741 C:\log.txt
UPX! 9/15/2005 9:02:02 PM 226 C:\win.txt
FSG! 9/15/2005 9:02:02 PM 226 C:\win.txt
PEC2 9/15/2005 9:02:02 PM 226 C:\win.txt
UPX! 9/15/2005 9:02:34 PM 34 C:\windows.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 12/10/2003 4:36:10 PM 238080 C:\WINDOWS\SYSTEM32\DivXdec.ax
UPX! 7/29/2004 2:19:46 AM 175104 C:\WINDOWS\SYSTEM32\lame_enc.dll
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
PECompact2 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/18/2005 10:50:40 PM S 2048 C:\WINDOWS\bootstat.dat
9/20/2005 5:39:34 PM H 24 C:\WINDOWS\pzcsZ
9/15/2005 2:53:18 PM H 54156 C:\WINDOWS\QTFont.qfn
9/19/2005 8:00:26 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/20/2005 2:16:32 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/20/2005 12:10:22 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/20/2005 5:35:32 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/20/2005 3:56:22 PM H 1024 C:\WINDOWS\system32\config\system.LOG
9/15/2005 3:03:08 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG
9/18/2005 10:50:44 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 1:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Line 6 6/26/2003 11:41:40 AM 65536 C:\WINDOWS\SYSTEM32\l6gpcpl.cpl
Line 6 12/14/2004 2:10:58 PM 61440 C:\WINDOWS\SYSTEM32\l6plvcpl.cpl
Line 6 10/5/2004 8:58:10 PM 65536 C:\WINDOWS\SYSTEM32\l6pxtcpl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/3/2003 11:16:20 AM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/2/2003 8:05:20 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
7/16/2005 8:37:02 PM 694 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/2/2003 2:44:44 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/2/2003 8:05:20 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/2/2003 2:44:44 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
= 
acc=jocker =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{73052ECC-0FFB-4949-BA30-C18583CF6702} = C:\WINDOWS\system32\dwsetup.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gggyfggg
{0315518b-0a8d-4871-a0ba-f43862be7ec4} = C:\WINDOWS\system32\rrrku.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}
bho2gr Class = C:\Program Files\GetRight\xx2gr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{516E2306-7ADF-47EC-AEA8-ACB6B51899F1}
Watch for Browser Events = C:\PROGRA~1\MACROE~1\iCapture.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}
FlashFXP Helper for Internet Explorer = C:\PROGRA~1\FlashFXP\IEFlash.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google	: c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM	: C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google	: c:\program files\google\googletoolbar1.dll
{5F1ABCDB-A875-46C1-8345-B72A4567E486} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google	: c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTSysVol	C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
CTDVDDet	C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
SBDrvDet	C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
UpdReg	C:\WINDOWS\UpdReg.EXE
HTpatch	C:\WINDOWS\htpatch.exe
CTHelper	CTHELPER.EXE
Cmaudio	RunDll32 cmicnfg.cpl,CMICtrlWnd
D-Link AirPlus XtremeG	C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
ATIPTA	C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ccApp	"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray	C:\PROGRA~1\SYMANT~1\VPTray.exe
MessengerPlus3	"C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
SunJavaUpdateSched	C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
NeroFilterCheck	C:\WINDOWS\system32\NeroCheck.exe
InCD	C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RamBooster	C:\Program Files\RamBooster\Rambooster.exe
RemoteCenter	C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
Steam	"c:\program files\valve\steam\steam.exe" -silent
MSMSGS	"C:\Program Files\Messenger\msmsgs.exe" /background
PhotoShow Deluxe Media Manager	C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
AIM	C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
msnmsgr	"C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs	MsgPlusLoader.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/20/2005 5:39:47 PM


----------



## Moocat (Sep 12, 2005)

just got another popup saying i have spyware on my computer! and to download some program to fix it.


----------



## dvk01 (Dec 14, 2002)

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select delete on reboot , press the red X button, say yes to the prompt & NO to reboot now 
[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

C:\WINDOWS\system32\jspkodak.dll

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then reboot


----------



## Moocat (Sep 12, 2005)

killbox was unable to delete the file. 
it made my taskbar and desktop dissapear, but IE, winamp, and Firefox are still running.


----------



## Moocat (Sep 12, 2005)

rebooted and all works again, but still getting popups. so if even killbox can't delete this file if there any way to get rid of it?


----------



## Moocat (Sep 12, 2005)

4 more popups i just got (sorry if this information is unimportant, but i thought it would help to know what the windows are)
1: Online Security Center : something about an update but the main window is not resizable or scrollable and the whole thing is misaligned so that the text goes off the window. can't be maximized either.
2: window body is blank, title is "Cassava"
3: WinAntiVirus 2005 ad, title of window is "pl-cpmwin-01"
4: Special Savings ad from Dell.


----------



## dvk01 (Dec 14, 2002)

try & delete the file with killbox again but this time tick the unregister dll before deleting and end end explorer shell while deleting 

& select the normal delete option with killbox

tell me what message it gives


----------



## Moocat (Sep 12, 2005)

again, it crashed explorer, and said it could not be deleted. thats all it told me. i had both suggested options checked.


----------



## dvk01 (Dec 14, 2002)

OK let's try this

if C:\WINDOWS\system32\jspkodak.dll doesn't appear under winlogon don't worry just skip that step

Lets start off by downloading a few necessary programs.

Download and Unzip Process Explorer Here
_Scroll to the bottom of the page and select your Operating System_.
Unzip it to its own folder on the desktop so you can find it later.
Download and install Advanced Process Manipulation Here

*Now reboot into safe mode.*

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

* open Process Explorer*.
Scroll down in the main window and find *winlogon.exe*
Right click on *winlogon.exe* and select Suspend
Leave Process Explorer open.

*Now open Advanced Process Manipulation*.
Scroll down in the main window and find *c:\windows\explorer.exe*
Click on the entry and that will display a list of files in the second window.
Scroll down the list in the second window and find *C:\WINDOWS\system32\jspkodak.dll
*
Right click on that entry and select Unload DLL
You will now lose your Start Bar and Desktop Icons. This is normal.
Leave Advanced Process Manipulation open

*Back in Advanced Process Manipulation*.
Scroll down in the main window and find *c:\windows\system32\winlogon.exe*
Click on the entry and that will display a list of files in the second window.
Scroll down the list in the second window and find *C:\WINDOWS\system32\jspkodak.dll
*
Right click on that entry and select Unload DLL
You will have to click OK about six times

*Now back in Process Explorer*.
Find *winlogon.exe* again.
Right click on *winlogon.exe* and select Resume
This should reboot your computer automatically.

now Start killbox paste the first file listed below into the full pathname and file to delete box

The  file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt 
[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

C:\WINDOWS\system32\jspkodak.dll

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything


----------



## Moocat (Sep 12, 2005)

okay about to do that, but i got a little extra info (if this is helpful). i got a system error message that goes like this:
title-Microsoft Visual C++ Runtime Library
body-Runtime Error!
Program:C:\PROGRAM FILES\NORSTROY\WDFOMPOS.EXE
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

um this has been coming up rather frequently actually. it may be an indicator of what is infecting me. i will take care of jspkodak.dll as soon as i get back from the class that starts in 10 minutes


----------



## dvk01 (Dec 14, 2002)

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
C:\PROGRAM FILES\NORSTROY\WDFOMPOS.EXE


----------



## Moocat (Sep 12, 2005)

strangely enough, that file doesn't exist on my system, and i copied that address directly from the error message.the entire directory NORSTROY doesn't exist. i have hide important system files OFF and all the other hiding options set so i can see everything, in all folders... strange! now beginning to do the thing with process explorer.


----------



## Moocat (Sep 12, 2005)

also it will not let me suspend winlogon.exe.


----------



## dvk01 (Dec 14, 2002)

This is getting weird and it might well be a lot safer and less time consuming to consider a backup of all docs & pictures/music etc and then format & reinstall 

this one is going to be very hard to fix


----------



## dvk01 (Dec 14, 2002)

just try this for me first please
download & run http://www.sysinternals.com/Utilities/RootkitRevealer.html 
save it's log and post back with the log

DO NOT attempt to fix anything it finds as most entries will be legitimate


----------



## Moocat (Sep 12, 2005)

i know it's a difficult fix and i highly appreciate your time and effort in helping me fix it  
downloaded rootkit revealer (i read the kapersky site since you recommend it so highly, and i think i'll buy it when version 6 comes out with the rootkit detection function. unless of course, they would let owners of 5 download a free upgrade. do they do that ? ) and running it right now
while scanning i see that NORSTROY folder is hidden from windows API! that's why it couldn't be deleted apparently. also i think the rootkit revealer locked up on saving the file... :\


----------



## Moocat (Sep 12, 2005)

every time i try and save the log the program freezes and the log is 0bytes with no entry in it. what should i do?


----------



## Moocat (Sep 12, 2005)

it gives about 500 results should i send u screenshots of what it says at the end of the scan?
edit to not make a whole lot of clutter: i'm trying the automatic scan feature to see if that will save a log without freezing me up. but last scan i had over 3,000 objects detected!


----------



## dvk01 (Dec 14, 2002)

try this opne instead 
http://www.f-secure.com/blacklight/


----------



## Moocat (Sep 12, 2005)

thank you  i'll try it as soon as i try RR one more time with the automatic mode


----------



## Moocat (Sep 12, 2005)

rootkit revealer worked in autmatic mode (thru command prompt) log is :
http://www.thespykiller.co.uk/forum/index.php?topic=723.0


----------



## dvk01 (Dec 14, 2002)

you might already have killbox but I want you to download it again as this version is a new one that will delete folders wwhereas the old one wouldn't

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, select unload dll if it is available and tick end explorer shell while deleting press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

If killbox says can't delete any of the files then select delete on reboot

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing let us know which ones

C:\WINDOWS\system32\drivers\wacxxnt59.sys
C:\WINDOWS\system32\adsrend.exe
C:\Program Files\Norstroy\WinGenerics.dll
C:\Program Files\Norstroy\wdfompos.exe
C:\Program Files\Norstroy\strsfc.exe
C:\Program Files\Norstroy\data.bin
C:\Program Files\Norstroy\Cache
C:\Program Files\Norstroy

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

Now open Firefox & select tools/options/privacy and press clear cache and clear history ( it's optional to clear cookies)

then reboot

NOW download and run Aim fix from http://www.jayloden.com/aimfix.htm

then use regedcit to delete the aprs entries as you did before

let us know how you get on


----------



## Moocat (Sep 12, 2005)

um i never used regedit (i assume u mean regedit not regedcit ) to delete aprs (what are these?) entries. i'll need to be told how to do this as i don't know what aprs is


----------



## dvk01 (Dec 14, 2002)

sorry I was confusing you with soem one else who had a similar problem

once you have done all that please do this

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so we can work out the way to delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## Moocat (Sep 12, 2005)

okay i did everything you said _except_ it could not delete the /cache/ folder or the entire norstroy folder so i said it should do it on reboot, but when i rebooted i didn't see any sort of alert or window saying that they were actually deleted. anyway, i got the rest of the stuff you recommended  hopefully that fixed it all. moving on to the next steps you posted  Aim fix output "error setting priveleges" a few times but it also said it cleaned my profiles.


----------



## Moocat (Sep 12, 2005)

okay finished the activescan and it did _not_ give the option to clean or delete anything, just to save the report. so here it is:

Incident Status Location

Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-5454086b.zip[InstallerApplet.class] 
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-41e779c5.zip[InstallerApplet.class] 
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:23 PM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Documents and Settings\Owner\Desktop\Firefox CE\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GGEW - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\GGEW.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VAP - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\VAP.exe (file missing)
O23 - Service: WVFK - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\WVFK.exe (file missing)


----------



## dvk01 (Dec 14, 2002)

OK next step

run HJT and fix these 2
O23 - Service: VAP - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\VAP.exe (file missing)
O23 - Service: WVFK - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\WVFK.exe (file missing)

They were left over from running rootkit revealer

next

open killbox & 
then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

Removing Java trojans That your antivirus has found 
If you still are using JAVA 1.4 or earlier 
open control panel, select java plug in control panel, select cache and then press clear cache

That gets rid of the trojans 
If you are using 1.5 version it's slightly different so read here

http://www.java.com/en/download/help/5000020300.xml

then reboot and look for the C:\Program Files\Norstroy folder and if it still exists then delete it ( it should be vissable now we have removed the rootkit hiding it )


----------



## Moocat (Sep 12, 2005)

norstroy is not visible in normal mode and after running rootkitrevealer again it's apparent that it does not exist 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\ Description: Key name contains embedded nulls (*)
Date: 8/3/2003 2:03 PM
Size: 0 bytes
:
Description: Hidden from Windows API.
Date: 
Size: 0 bytes
:
Description: Hidden from Windows API.
Date: 
Size: 0 bytes
C:\Documents and Settings\Owner\Application Data\Aim\gdtypknx\vertsk8er091987\urlcache\aim3C3.tmp:
Description: Visible in Windows API, but not in MFT or directory index.
Date: 9/23/2005 9:46 AM
Size: 424 bytes
C:\Documents and Settings\Owner\Application Data\Aim\gdtypknx\vertsk8er091987\urlcache\aim3D5.tmp:
Description: Hidden from Windows API.
Date: 9/23/2005 10:16 AM
Size: 424 bytes
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\Cache\A2014126d01:
Description: Hidden from Windows API.
Date: 9/23/2005 10:08 AM
Size: 26.02 KB
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\r7f6u18f.default\parent.lock:
Description: Hidden from Windows API.
Date: 9/23/2005 10:05 AM
Size: 0 bytes
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C9Q34DEB\01[1].htm:
Description: Visible in Windows API, but not in MFT or directory index.
Date: 9/23/2005 9:06 AM
Size: 285 bytes
C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf:
Description: Hidden from Windows API.
Date: 9/23/2005 10:05 AM
Size: 46.49 KB

aimfix did not fix the rootkits with AIM unfortunately. moving on to this step u gave in above post 

in C:\Windows\Temp, one folder called ASHeuristic appeared again after i deleted it yesterday.

and now i've finished all steps to this point : deleted all temp files and cleared java cache


----------



## Moocat (Sep 12, 2005)

also did a reboot into safe mode and confirmed that norstroy is not there.


----------



## dvk01 (Dec 14, 2002)

I don't think the aim entries are rootkits but just something that windows can't normally see and are the AIM equivalent to temp internet files in IE or cache in Firefox
but at 400 bytes it's almost certainly harmless


----------



## Moocat (Sep 12, 2005)

okay sweet, so it looks like i'm mostly clean? should i do another activescan and post the results?


----------



## Moocat (Sep 12, 2005)

ran another activescan. one entry: 

Incident Status Location 

Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log


----------



## dvk01 (Dec 14, 2002)

that doesn't look like an important file and is only a log but let's try & delete it

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log


----------



## Moocat (Sep 12, 2005)

file deleted. what should i do to make sure that's all?


----------



## dvk01 (Dec 14, 2002)

That should be clean now

Turn off system restore by following instructions here 
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here* http://forums.techguy.org/t208517/s.html *for info on how to tighten your security settings and how to help prevent future attacks.

and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place


----------



## Moocat (Sep 12, 2005)

tyvm derek i'll be sure to post here again if i get any leftover problems. i really appreciate your time and effort, and i'll make a donation to your rescue center (it won't be massive, i barely have $2,000 to my name after purchasing books) once i get my debit card mailed from home (i left it there on my last visit)


----------



## Moocat (Sep 12, 2005)

the only update that is available now is
Windows Genuine Advantage Validation Tool (KB892130)
and it says it fails to install!

edit: wow i found out why. I apparently was sold a chinese version of windows xp pro upgrade by best buy (i am detected as being in america so cannot recieve ANY updates, apprently, OR SUPPORT!!! i was actually denied support when i called in because i'm using a chinese version.). and i live in america. this is illegal, and i'm going to make sure they fix the problem for me.


----------



## dvk01 (Dec 14, 2002)

Make sure you report that to M$ 
http://www.microsoft.com/piracy/default.mspx

as well as complaining to Best buy and your local consumer protection where you bought the illegal pirate version of windows


----------



## Moocat (Sep 12, 2005)

i did report it to MS but they told me to report it to best buy and i just finished writing them an angry email. when i go home on the weekend (where i don't have to pay a long distance bill) i'm going to call their manager.


----------



## dvk01 (Dec 14, 2002)

Moocat said:


> i did report it to MS but they told me to report it to best buy and i just finished writing them an angry email. when i go home on the weekend (where i don't have to pay a long distance bill) i'm going to call their manager.


that doesn't sound quite right

this is M$ official stance

http://www.microsoft.com/piracy/Reporting.mspx


----------



## Moocat (Sep 12, 2005)

i'm not quite sure what to do, the ms guy didn't think it was pirated when i talked to him. i had a guy install it on my hd when we bought it since my computer was in for them to try and fix it (it wasn't booting so they wiped, that was totally worth it...). does something sold in the wrong country count as piracy? or did the guy use an illegal PID? i don't know how to tell :\


----------



## Moocat (Sep 12, 2005)

derek, i'm sorry to say, but my system is not clean yet (it's that damn microsoft place's fault)
in internet explorer, i am completely unable to set custom settings for any security zone. i believe this is preventing me from installing the activex control for the windows update. i checked in my activex controls and there's nothing new installed (or anything for microsoft). any ideas?


----------



## Moocat (Sep 12, 2005)

OK, now i got thru the install of the WGA thru another portion of the microsoft site called "how to tell", however, it still will not allow me to install the updates i download. as the installer works, it installs each item then says ....done! at the end. after it goes thru all 6 items, it tells me they all failed. any ideaS?


----------



## dvk01 (Dec 14, 2002)

I think it's all connected to your windows version

If it is being detected as a chinese version or the serial number is one allocated to china tehn it's a pirated version & nothing we do will overcome that 

I really think it's beyond anything we can do here and you need to contact M$ about it or best buy again and tell them that you insist on a full US version of what you have paid for then wipe everythiung and reinstall with a legal legit version 

I just can't see anything else working


----------



## dvk01 (Dec 14, 2002)

PM me with the PID number and I'll check if it's on any of my lsits of blocked or illegal numbers


----------



## Moocat (Sep 12, 2005)

LOL i must have died and went to hell... after all that we just fixed i don't think i can bring myself to do a wipe


----------



## dvk01 (Dec 14, 2002)

we can try a couple of fixes and see if it works to reset security settings and update settings but I won't guarantee it will work 


try this for update

Click the Start button, then click "Run..."

Type "cmd" in the box, no quotes, then press "OK".

then type the following lines, pressing "Enter" on your keyboard
after each line:

net.exe stop wuauserv
regsvr32 /s wuapi.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wucltui.dll
regsvr32 /s wuweb.dll
regsvr32 /s jscript.dll
regsvr32 /s atl.dll
regsvr32 /s softpub.dll
regsvr32 /s msxml3.dll
net.exe start wuauserv

In case your curious, these commands do the following:
Stops the Windows Update "service" program.
Reinstalls all of the files Windows Update needs to work
Restarts the Windows Update "service" program. 

and then downlaod the attached buberegfix.zip to your desktop & unzip it, doubleclick the buberegfix.reg file it will open and say yes to merge with registry

this fixes a lot of damgaed security settings and update settings and MIGHT work but i won't guarantee it


----------



## Moocat (Sep 12, 2005)

ok i did the thing in the command prompt. i got no messages after typing in the regsvr commands, it just moved down to the next command without telling me it completed anything
the start and stops, it told me it completed successfully.
ran buberegfix.reg, and it said the values were added to the registry.
went to windows update and it said 
"Files required to use Windows Update are no longer registered or installed on your computer. To continue:


-Register or reinstall the files for me now (Recommended)
-Let me read about more steps that might be required to solve the problem"


----------



## dvk01 (Dec 14, 2002)

redo this and copy & paste the lines in to the cmd screen one at a time and press return/enter

what I think has happened is that you have mised a space out in the typing 

Click the Start button, then click "Run..."

Type "cmd" in the box, no quotes, then press "OK".

then type the following lines, pressing "Enter" on your keyboard
after each line:

net.exe stop wuauserv
regsvr32 /s wuapi.dll
regsvr32 /s wups.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wucltui.dll
regsvr32 /s wuweb.dll
regsvr32 /s jscript.dll
regsvr32 /s atl.dll
regsvr32 /s softpub.dll
regsvr32 /s msxml3.dll
net.exe start wuauserv


----------



## Moocat (Sep 12, 2005)

ok did that again as you said and still didn't get a message from the regsvr32 commands. and for some reason, windows can't seem to reinstall the files i need. it goes thru all the motions (it goes to 100% on all the steps it shows in IE) and at the end it sends me back to the page i started on. when i click the express button, it gives me the same message saying that it needs to install again.


----------



## dvk01 (Dec 14, 2002)

it is working fine on mine but when i did the above steps I rebooted but at first update gave me an error message but the second time it worked 

BUT it is extremely slow tonight and I've tried update on a different computer and it is so slow I thought I was back on 28k dial up not 3 meg BB

don't use the express button but use the custom or whatever it 's called button


----------



## Moocat (Sep 12, 2005)

okay will try again after a reboot. also, i assume you're in a different part of the world than me (it doesn't seem windows update is very slow at all, not to mention the fact that it isn't "tonight" yet where i am )


----------



## Moocat (Sep 12, 2005)

okay so ever since doing that buberegfix thing and the thing with regsvr32, every program that tries to view a folder (for instance when using the "save..." window to choose where to save, or even opening "My computer") has frozen. in winamp, i can't load new songs, i can't browse my hard drive, because the window never loads the contents.


----------



## Moocat (Sep 12, 2005)

ok so if i use the address bar i can go to "C:\" but the My computer window will NOT show the contents. the flashlight keeps going back and forth but nothing happens.
also windows update STILL tells me i don't have the files and everything installed.
edit: after about 40 minutes, my computer found my drives and such. however, every time i go back to my computer it has to repeat the same process.
EDIT: was able to easily fix this problem with system restore!


----------



## dvk01 (Dec 14, 2002)

if you have done a sysetm restore does update work now 

I have not seen the problems you describe with using those fixes before but I doid warn taht it might not work but I really didbn't expect it to make the problem worse


----------



## Moocat (Sep 12, 2005)

its all fine, its back to the way it was with the update files installed. updates still do not wor, howeverk (as in i can't install the genuine advantage tool)


----------



## dvk01 (Dec 14, 2002)

I really haven't got any ideas then on that one


----------



## Moocat (Sep 12, 2005)

okay thanks for the help  btw, kapersky found a virus called "lolk.exe" in documents and settings\owner\ so i killboxed it.
also, kapersky seems to freeze on a .txt file that is within a .rar file.


----------



## Moocat (Sep 12, 2005)

okay i think i need help again.
this "lolk.exe" virus that kaspersky detected a few days ago in the documents and settings\owner folder that i killboxed, has been detected again in programfiles\getright\
also
\sunjava\deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-433ce009.zip\javainstaller/installerapplet.class
is detected as infected. i know i'm using jre 1.4 or 1.5, not 1.0. after killboxing lolk.exe once already to have it appear again i'm sure that simply deleting these won't help. i'll try and have kapersky clean/delete/quarantine them but i'm not sure how well that will work, as all my other virus programs fail at that.


----------



## dvk01 (Dec 14, 2002)

Removing Java trojans That your antivirus has found 
If you still are using JAVA 1.4 or earlier 
open control panel, select java plug in control panel, select cache and then press clear cache

That gets rid of the trojans 
If you are using 1.5 version it's slightly different so read here

http://www.java.com/en/download/help/5000020300.xml

and post a fresh HJT log so we can see waht KAspersky is finding


----------



## Moocat (Sep 12, 2005)

ok did that, but i noticed in the file path that it was v1.0 under the javapi\ folder... 
and it turns out i'm using 1.5 so i dont know why theres a folder for 1.0
hjt log: 
Logfile of HijackThis v1.99.1
Scan saved at 12:09:35 PM, on 9/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
C:\Documents and Settings\Owner\Desktop\Firefox CE\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {C4D6755D-2123-4EEF-BAA0-94B22F1C2271} (IAHSOCX.HOSTILESPACE) - https://www.hostilespace.com/Portal/IAHSOCX20019.CAB
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GGEW - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\GGEW.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


----------



## dvk01 (Dec 14, 2002)

I can't see anything there so can you get me alog of what Kaspersky found

open KAV by double clicking on the icon in teh system tray, then on the protection tab, click on view reports, rightclick on the red icon that says infected objects found and select export detailed report to file, in the bottom box, save ity as tab deliminated.txt and select an appropriate location. then pres ok

go to that report & attach it to a reply here


----------



## Moocat (Sep 12, 2005)

the view reports button shows me a list of successful or failed tasks. for instance "Full Scan (failed)" there is nothing about infected objects :X
by the way i can never get a successful full scan (is it b/c its a trial?)
the window just dissapears when its done it seems


----------



## dvk01 (Dec 14, 2002)

if it says fullscan failed then it means taht it found something so send that log


----------



## Moocat (Sep 12, 2005)

log is ginormous so posted here
http://www.thespykiller.co.uk/forum/index.php?topic=723.msg2608#msg2608


----------



## dvk01 (Dec 14, 2002)

just about everything found is in either spybot quarantine or adaware so are harmless

you have dealt with the java trojans 

that leaves
C:\Program Files\GetRight\lolk.exe

when getright downloads I think it keeps a copy in it's folder 

just delete that one


----------



## Moocat (Sep 12, 2005)

ok deleted. i ran another scan while i was out at a party, and again, there is no window notifying me that the scan completed or asking me how to fix any problems so i'll check the log again.


----------



## Moocat (Sep 12, 2005)

ok so the scan failed {again} and all it came up with in the log is the adaware stuff like last time. is it a concern that the scans keep failing and i have to read the log to find what it found? and should i assume that it even completely scanned the computer?


----------



## dvk01 (Dec 14, 2002)

WhenKAV says scan failed it is their quaint NON english way of saying taht something was found 

I hope that they are going to change that in the next update to it as it confuses people ( KAV developers are russian and english translation isn't their strong point) 

open KAv & press settings tab and configure on demand scan 

check that the prompt user for action at the end of scan is enabled 

I suspect you have the bottom option log only enabled


----------



## Moocat (Sep 12, 2005)

no it was set to prompt at end of scan! i don't know why i'm not getting the prompt :\


----------



## dvk01 (Dec 14, 2002)

try setting it to prompt for action, 

BUT you do need to be in front of the computer all the time the scan is running as it will pop up an alert about every thing it finds and it won't move on to the next one till you do something


----------



## dvk01 (Dec 14, 2002)

the only other suggestion I have is post on the Kaspersky support forum where one of the developers or mods will pick it up & might have a better suggestion

http://forum.kaspersky.com/index.php?


----------



## Moocat (Sep 12, 2005)

ok ty 
the scan is coming up clean before it fails every time (except adaware stuff which is no prob) so i think my comp is fixed


----------



## dvk01 (Dec 14, 2002)

Dr Kathy I have split you off to your own thread

http://forums.techguy.org/t407330.html

This thread is now closed

if the original poster wants to reopen please pm me or another mod


----------

