# Solved: Please[se.dll Trojan.StartPage] help !



## skylarzook (Feb 20, 2005)

I have been reading various forum posts on similar problems, so I have a hijackthis log, a startdreck log and a pv log.

Running Windows XP Professional. Norton Antivirus finds it in C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll, quarantines it, still getting popups of "warning infected with spyware" etc. Ran Adaware, got rid of a bunch of stuff. Ran Spy Bot, got rid of a bunch of stuff. Norton, all in safe mode. deleted the file in the temp folder. restarted and it came back. Norton sees it. when not in safe mode, trying to delete the temp files gets my computer to shutdown... fun fun

in hijackthis log, new to it,just looking, these look bad:
all the R1
the 04 with Dll Install
two 016 with ppctlcab.cab and pestscan

are those all bad?
and generally what to do?

you guys rule!

the logs are attached. i'd love to hear back soon. i'm on a deadline for a website and this is really sucking. thank you!

~sarah


----------



## skylarzook (Feb 20, 2005)

also, presently what's happening with the se.dll (now in safe mode) - when moving around in IE i get the following error message: an exception occured while trying to run C:\Docum...\Sarah\Localsettings\Temp\se.dll, Dll Install
when this comes up, task manager shows rundll32.exe

the about:blank home page also going on whenever i open a new page


----------



## Mosaic1 (Aug 17, 2001)

Hi skylarzook,

Welcome. It's late here and I am on my way out. However, I would ask you to please not attachlogs. It makes it more work for us to read them when you do.

Also, before anyone can help effectively we need a few tests.

Go here:
http://virusscan.jotti.dhs.org/

Upload C:\windows\explorer.exe

Have it scanned and post the results.

Do the same for:
C:\Program Files\Internet Explorer\Iexplore.exe


----------



## skylarzook (Feb 20, 2005)

hey, sorry about the attachments. here's the jotti results. hope that's the part you need:

Service load: 0% 100% 

File: explorer.exe 
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
Packers detected: None 

AntiVir No viruses found (0.41 seconds taken) 
Avast No viruses found (1.53 seconds taken) 
AVG Antivirus No viruses found (0.40 seconds taken) 
BitDefender No viruses found (0.46 seconds taken) 
ClamAV No viruses found (0.68 seconds taken) 
Dr.Web No viruses found (0.88 seconds taken) 
F-Prot Antivirus No viruses found (0.09 seconds taken) 
Fortinet No viruses found (0.39 seconds taken) 
Kaspersky Anti-Virus No viruses found (0.98 seconds taken) 
mks_vir No viruses found (0.23 seconds taken) 
NOD32 No viruses found (0.59 seconds taken) 
Norman Virus Control No viruses found (1.18 seconds taken) 

Statistics 
Last piece of malware found was W32/Bifrose.E in DragonBot9.0_for_Sp1.exe, detected by:

Scanner Malware name Time taken 
AntiVir BDS/Improg.1 0.38 seconds 
Avast X 1.51 seconds 
AVG Antivirus BackDoor.Bifrose.O 0.43 seconds 
BitDefender Backdoor.Bifrose.E 0.46 seconds 
ClamAV Trojan.Bifrose-4 0.58 seconds 
Dr.Web BackDoor.Bifrost 0.86 seconds 
F-Prot Antivirus W32/[email protected] 0.09 seconds 
Fortinet X 0.40 seconds 
Kaspersky Anti-Virus Backdoor.Win32.Bifrose.d 1.02 seconds 
mks_vir Trojan.Bifrose.D 0.21 seconds 
NOD32 Win32/Bifrose.E 0.46 seconds 
Norman Virus Control W32/Bifrose.E 0.19 seconds


----------



## skylarzook (Feb 20, 2005)

and for C:\Program Files\Internet Explorer\Iexplore.exe

Service load: 0% 100% 

File: iexplore.exe 
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) 
Packers detected: None 

AntiVir No viruses found (0.38 seconds taken) 
Avast No viruses found (1.53 seconds taken) 
AVG Antivirus No viruses found (0.39 seconds taken) 
BitDefender No viruses found (0.46 seconds taken) 
ClamAV No viruses found (0.56 seconds taken) 
Dr.Web No viruses found (0.86 seconds taken) 
F-Prot Antivirus No viruses found (0.09 seconds taken) 
Fortinet No viruses found (0.40 seconds taken) 
Kaspersky Anti-Virus No viruses found (0.98 seconds taken) 
mks_vir No viruses found (0.23 seconds taken) 
NOD32 No viruses found (0.48 seconds taken) 
Norman Virus Control No viruses found (0.64 seconds taken) 

Statistics 
Last piece of malware found was W32/Bifrose.E in DragonBot9.0_for_Sp1.exe, detected by:

Scanner Malware name Time taken 
AntiVir BDS/Improg.1 0.38 seconds 
Avast X 1.51 seconds 
AVG Antivirus BackDoor.Bifrose.O 0.43 seconds 
BitDefender Backdoor.Bifrose.E 0.46 seconds 
ClamAV Trojan.Bifrose-4 0.58 seconds 
Dr.Web BackDoor.Bifrost 0.86 seconds 
F-Prot Antivirus W32/[email protected] 0.09 seconds 
Fortinet X 0.40 seconds 
Kaspersky Anti-Virus Backdoor.Win32.Bifrose.d 1.02 seconds 
mks_vir Trojan.Bifrose.D 0.21 seconds 
NOD32 Win32/Bifrose.E 0.46 seconds 
Norman Virus Control W32/Bifrose.E 0.19 seconds


----------



## Mosaic1 (Aug 17, 2001)

You have the Backdoor Haxdoor among other things.

Information here. This is to let you know what you have, If you attempt to remove it manually, do the full scan. Be sure your AV is up to date first. Do not delete the restore points as advised on that page. I would advise you stay out of the registry unless you are expert. Someone will help you later with that.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

-----------
You will be restarting into Safe mode later. 
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
--------

Because XP will not always show you hidden files and folders by default. 
Reset your search settings first.

Open Folder Options>view and check your settings: 
Select 
Show hidden files and folders 
Display the contents of system folders 
Uncheck: Hide protected operating system files 
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click. 
Be sure the first three boxes are selected: 
Search System folders 
Search Hidden Files and folders 
Search SubFolders 
-------- 
Download The Killbox:
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Extract Killbox.exe to the desktop. We'll use it later.

---------------

Download the hoster:
http://members.aol.com/toadbee/hoster.zip
Extract the file it contains to your desktop. We'll use it later.

---------------
Download Find It NT-2K-XP.zip .

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

Unzip it and double-click on Find.bat to run it. When the command window first opens, it may say "File not found". Let it continue to run. It will take more than a few minutes. It will priduce and open a file named Output.txt when is is finished. Copy and paste the contents of output.txt into your next reply here. 
--------------

Download the l2mfix here:
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

***IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

--------------

Post a new Hijackthis log if you have restarted since you posted the log in your last post.

Post a startuplist please. In Hijackthis press the Config Button
Click Misc Tools
*Check both boxes under the Generate StartupList log* and then click the generate startuplist log button.

Paste the contents into your next reply here, please.

You are going to have to split up the information I have asked you for into several posts.

------------

Once you have run these, do not restart. The information will change. If you do restart, we will need all new logs.

Good luck. I'll try to get back tomorrow afternoon.

I am in the US in the Eastern Time Zone. It is now 12:50 am.


----------



## Mosaic1 (Aug 17, 2001)

Also download CWShredder here. We'll use it later:
http://www.intermute.com/spysubtract/cwshredder_download.html

Download this tool as well:
https://beta.activeupdate.trendmicro.com/fixtool/fixagentv1.0007.zip


----------



## Mosaic1 (Aug 17, 2001)

One final and important tool is Ad-Aware

Go to this link and read the tutorial 
http://www.bleepingcomputer.com/forums/tutorial48.html

Download, install and update AD-Aware.

Don't run it yet. It's another one we'll use later.


----------



## skylarzook (Feb 20, 2005)

Find it results:

Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\downloads\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 209D-2B14

Directory of C:\WINDOWS\System32

02/19/2005 04:06 PM dllcache
11/05/2003 03:17 PM Microsoft
0 File(s) 0 bytes
2 Dir(s) 1,525,583,872 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 209D-2B14

Directory of C:\WINDOWS\System32

02/19/2005 05:28 PM vmss
02/19/2005 04:27 PM wsxsvc
02/19/2005 04:06 PM dllcache
11/04/2003 02:33 PM 488 WindowsLogon.manifest
11/04/2003 02:33 PM 488 logonui.exe.manifest
11/04/2003 02:33 PM 749 sapi.cpl.manifest
11/04/2003 02:33 PM 749 cdplayer.exe.manifest
11/04/2003 02:33 PM 749 wuaucpl.cpl.manifest
11/04/2003 02:33 PM 749 ncpa.cpl.manifest
11/04/2003 02:33 PM 749 nwc.cpl.manifest
7 File(s) 4,721 bytes
3 Dir(s) 1,525,579,776 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 209D-2B14

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 209D-2B14

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 1,525,579,776 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E286AC6F-8B65-4DAA-9181-8967555D2F83}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16]
"DllName"=hex(2):64,72,63,74,31,36,2e,64,6c,6c,00
"Startup"="MeMessager"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\wdvdmod.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"StartTabletService"="tablet s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"GhostStartTrayApp"="C:\\Program Files\\Symantec\\Norton Ghost 2003\\GhostStartTrayApp.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"ntddetect"="C:\\WINDOWS\\System32\\ntddetect.exe"
"ntechin"="C:\\Documents and Settings\\Sarah\\n20050308.exe"
"Dvx"="C:\\WINDOWS\\System32\\wsxsvc\\wsxsvc.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"sp"="rundll32 C:\\DOCUME~1\\Sarah\\LOCALS~1\\Temp\\se.dll,DllInstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




----------



## skylarzook (Feb 20, 2005)

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16]
"DllName"=hex(2):64,00,72,00,63,00,74,00,31,00,36,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup"="MeMessager"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\wdvdmod.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E286AC6F-8B65-4DAA-9181-8967555D2F83}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.5 Property Sheet Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{7877C8E0-8B13-11D0-92C2-00AA004B256F}"="Pagis Folder"
"{7877C8E1-8B13-11D0-92C2-00AA004B256F}"="Pagis Inbox"
"{7877C8E2-8B13-11D0-92C2-00AA004B256F}"="Pagis Inbox"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{787512CC-1C3C-46B1-BCB4-246234BEFB77}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{787512CC-1C3C-46B1-BCB4-246234BEFB77}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{787512CC-1C3C-46B1-BCB4-246234BEFB77}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{787512CC-1C3C-46B1-BCB4-246234BEFB77}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{787512CC-1C3C-46B1-BCB4-246234BEFB77}\InprocServer32]
@="C:\\WINDOWS\\system32\\wdvdmod.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 209D-2B14

Directory of C:\WINDOWS\System32

02/19/2005 04:06 PM dllcache
11/05/2003 03:17 PM Microsoft
0 File(s) 0 bytes
2 Dir(s) 1,524,649,984 bytes free


----------



## skylarzook (Feb 20, 2005)

Startup list log

StartupList report, 2/20/2005, 1:59:19 AM
StartupList version: 1.52.2
Started from : D:\downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\downloads\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Sarah\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
NeroCheck = C:\WINDOWS\System32\\NeroCheck.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
StartTabletService = tablet s
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
GhostStartTrayApp = C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
ntddetect = C:\WINDOWS\System32\ntddetect.exe
ntechin = C:\Documents and Settings\Sarah\n20050308.exe
Dvx = C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
sp = rundll32 C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll,DllInstall

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ntddetect = C:\WINDOWS\System32\ntddetect.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ntddetect = C:\WINDOWS\System32\ntddetect.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\bdil.dll - {11783622-045F-42F4-9707-500588688C47}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[ppctlcab]
CODEBASE = http://www.pestscan.com/scanner/ppctlcab.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSD406.OSD

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx
CODEBASE = http://www.pestscan.com/scanner/axscanner.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

[{4C226336-4032-489F-9674-67E74225979B}]
CODEBASE = http://www.otxresearch.com/OTXMedia/OTXMedia.dll

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.real.com/133c4347d5323b0cc902/netzip/RdxIE601.cab

[{79849612-A98F-45B8-95E9-4D13C7B6B35C}]
CODEBASE = http://iframedollars.biz/tb/loader2.ocx

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37933.8308912037

[Java Plug-in 1.4.2_05]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\System32\dolsp.dll
Protocol #2: C:\WINDOWS\System32\dolsp.dll
Protocol #3: C:\WINDOWS\System32\dolsp.dll
Protocol #4: C:\WINDOWS\System32\aklsp.dll
Protocol #5: C:\WINDOWS\System32\aklsp.dll
Protocol #6: C:\WINDOWS\System32\aklsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
Protocol #11: C:\WINDOWS\system32\rsvpsp.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\System32\aklsp.dll
Protocol #23: C:\WINDOWS\System32\dolsp.dll


----------



## skylarzook (Feb 20, 2005)

2nd half of startup log

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Intel(r) 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d344bus: System32\DRIVERS\d344bus.sys (system)
d344prt: System32\Drivers\d344prt.sys (system)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
eUSB SmartMedia Driver: System32\DRIVERS\EUSBMSD.SYS (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GhostStartService: C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
NAVAP: \??\C:\WINDOWS\System32\Drivers\NAVAP.SYS (manual start)
Norton AntiVirus Auto Protect Service: C:\Program Files\Norton AntiVirus\navapsvc.exe (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050218.035\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050218.035\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pen Class: System32\Drivers\penclass.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{D2AC5371-CE67-42C3-A62B-269ADA2DE774} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
TabletService: C:\WINDOWS\System32\Tablet.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VIRTwin: \??\C:\WINDOWS\System32\vdmt16.sys (system)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
SCNDmem: \??\C:\WINDOWS\System32\winlow.sys (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,227 bytes
Report generated in 0.240 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## skylarzook (Feb 20, 2005)

all the various programs are lying in wait. i'm excited to bust this stuff out of here. i'm going to know so much more about my computer once this is done. i feel like i just did a bunch of blood tests. and the doc's like, i'm sorry... you have cancer. we'll have to start chemo immediately. 
so thank you very much so far. i'll be hanging around. i hope your day is going well so far.
cheers,
sarah


----------



## Mosaic1 (Aug 17, 2001)

I just got here. Did you run the Norton Scan yet? And are you still in Safe mode? I'll read and get back to you.


----------



## skylarzook (Feb 20, 2005)

Here's the logs from the various Norton scans. A few times last night i restarted my computer, but i don't know if they show up in this log or if this log is just since the last restart... (don't worry, i haven't restarted since doing all the posted logs)

i am still in safe mode... is that a problem? i can download things just fine.

Date: 2/19/2005, Time: 15:11:24, Sarah on SING
The file
C:\WINDOWS\mstasks2.exe
is infected with the Download.Trojan virus.
Access to the file was denied.


Date: 2/19/2005, Time: 15:33:02, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 16:51:32, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 3
Infected: 0
Repaired: 0
Boot records:
Scanned: 4
Infected: 0
Repaired: 0
Files:
Scanned: 162644
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0

Date: 2/19/2005, Time: 17:20:10, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 17:20:26, Sarah on SING
Virus scan canceled.

Date: 2/19/2005, Time: 17:24:12, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 17:24:14, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 0
Infected: 0
Repaired: 0
Boot records:
Scanned: 0
Infected: 0
Repaired: 0
Files:
Scanned: 1
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0

Date: 2/19/2005, Time: 17:24:16, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 17:24:16, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 0
Infected: 0
Repaired: 0
Boot records:
Scanned: 0
Infected: 0
Repaired: 0
Files:
Scanned: 1
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0

Date: 2/19/2005, Time: 17:25:34, Sarah on SING
The file
C:\WINDOWS\system32\paydial.exe
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:25:34, Sarah on SING
The file
C:\WINDOWS\system32\paydial.exe
is infected with the Backdoor.Tofger virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:27:42, Sarah on SING
The file
C:\WINDOWS\system32\paydial.exe
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:27:42, Sarah on SING
The file
C:\WINDOWS\system32\paydial.exe
is infected with the Backdoor.Tofger virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:38, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:38, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:48, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:50, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.


Date: 2/19/2005, Time: 17:36:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.


----------



## skylarzook (Feb 20, 2005)

2nd half pf logs

Date: 2/19/2005, Time: 17:38:58, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 17:38:58, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 17:39:22, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 17:39:22, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 17:39:22, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 17:39:22, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 17:39:22, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 17:39:24, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 17:39:24, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 17:40:38, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 17:40:38, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 17:40:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 17:40:52, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:32:56, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:32:56, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:36:18, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:36:18, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:39:52, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:40:06, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:40:18, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:40:18, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:43:04, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:24, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:26, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:26, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:26, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:26, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:26, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:26, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:44:28, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:44:28, Sarah on SING
The file
C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:45:54, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:45:54, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 18:46:30, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 18:46:30, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 19:24:46, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
The file C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll is infected with the Trojan.StartPage virus.
The file was quarantined.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
The file C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Internet Files\Content.IE5\GTM74X63\loadadv621[1].exe is infected with the Downloader.Trojan virus.
The file was quarantined.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
The file C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD0BC307\null[1].txt is infected with the Backdoor.Tofger virus.
The file was quarantined.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
The file C:\Documents and Settings\Sarah\Local Settings\Temp\Temporary Internet Files\Content.IE5\SD0BC307\sploit[1].anr is infected with the Download.Trojan virus.
The file was quarantined.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
The file C:\new.exe is infected with the Downloader.Trojan virus.
The file was quarantined.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
The file C:\WINDOWS\system32\paydial.exe is infected with the Backdoor.Tofger virus.
The file was quarantined.

Date: 2/19/2005, Time: 20:19:10, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 3
Infected: 0
Repaired: 0
Boot records:
Scanned: 4
Infected: 0
Repaired: 0
Files:
Scanned: 161028
Infected: 6
Repaired: 0
Quar'ed: 6
Deleted: 0

Date: 2/19/2005, Time: 20:21:10, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 20:21:10, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 20:27:26, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Unable to repair this file.

Date: 2/19/2005, Time: 20:27:26, Sarah on SING
The file
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
is infected with the Trojan.StartPage virus.
Access to the file was denied.

Date: 2/19/2005, Time: 20:52:28, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 20:52:28, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 0
Infected: 0
Repaired: 0
Boot records:
Scanned: 0
Infected: 0
Repaired: 0
Files:
Scanned: 1
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0

Date: 2/19/2005, Time: 20:52:30, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 20:52:30, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 0
Infected: 0
Repaired: 0
Boot records:
Scanned: 0
Infected: 0
Repaired: 0
Files:
Scanned: 1
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0

Date: 2/19/2005, Time: 20:55:16, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 22:33:42, Sarah on SING
The file C:\Documents and Settings\Sarah\Local Settings\Temp\se.dll is infected with the Trojan.StartPage virus.
The file was quarantined.

Date: 2/19/2005, Time: 22:33:42, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 3
Infected: 0
Repaired: 0
Boot records:
Scanned: 4
Infected: 0
Repaired: 0
Files:
Scanned: 160679
Infected: 1
Repaired: 0
Quar'ed: 1
Deleted: 0

Date: 2/19/2005, Time: 23:31:32, Sarah on SING
Virus scan started.

Date: 2/19/2005, Time: 23:31:32, Sarah on SING
Virus scanning completed.
Master boot records:
Scanned: 0
Infected: 0
Repaired: 0
Boot records:
Scanned: 0
Infected: 0
Repaired: 0
Files:
Scanned: 1
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0


----------



## Mosaic1 (Aug 17, 2001)

We need to run part two of the l2mfix first. Disconnect totally from the internet. Unplug your modem while you do this.

Go back to your l2mfix folder. Run l2mfix.bat 
Be prepared to restart, but don't go to regular mode. Instead go into safe mode. DO not go into Regular Windows yet.

This time press 2 and press enter. When you get into Safe mode, go back to your l2mfix folder again, Double click on second.bat. This will perform the rest of the fix. If a text file opens when this has finished running ignore that for now and close it.
-------------

Run Killbox.exe by double clicking on it.

Select Delete on Reboot.
Select End Explorer Shell while deleting file.

Paste this path into the 
*Full Path of File to Delete* 
C:\WINDOWS\SYSTEM32\drct16.dll

Click the red icon with the white X at the upper right.

You will be prompted to restart. Say no. Do not reboot yet.

Use the Killbox the same way for these files:
C:\WINDOWS\System32\bdil.dll
C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll
C:\Documents and Settings\Sarah\n20050308.exe

Go to start>run and type hijackthis
Press enter

Select these items if they still exist and press the fix checked button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O2 - BHO: (no name) - {11783622-045F-42F4-9707-500588688C47} - C:\WINDOWS\System32\bdil.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\Sarah\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe

O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/133c4347d5323b0cc902/netzip/RdxIE601.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O18 - Filter: text/html - {10193C8D-FA4E-40BD-BB87-2F6BFD3AA459} - C:\WINDOWS\System32\bdil.dll
O18 - Filter: text/plain - {10193C8D-FA4E-40BD-BB87-2F6BFD3AA459} - C:\WINDOWS\System32\bdil.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\wdvdmod.dll (file missing)

----------

Restart back into Safe mode immediately.

Extract and run the fixagentv1.0007 tool you downloaded earlier.

Run CWShredder.

Restart into Safe Mode again.

Go to start>Run and type
%Temp%
Press enter.
This will open youyr temp folder. Select everything and delete all if now possible.

------ 
Run lspfix.exe

Press the I know what I'm doing button.

Move these two files from the left to the right removal pane and then press finish.
aklsp.dll
dolsp.dll
-----------

Delete these two files.
c:\windows\system32\aklsp.dll
c:\windows\system32\dolsp.dll

Delete these folders:
C:\WINDOWS\System32\wsxsvc
C:\windows\system32\vmss

Run Ad-aware.

Shut down. Reconnect your modem.

Restart into Regular Windows mode.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Run Hijackthis again and post your new log.
Go to the l2mfix folder and open log.txt
Post the contents of log.txt into your reply too.

There will be more to do. I want to see if we were successful with the bulk of it.


----------



## Mosaic1 (Aug 17, 2001)

PS if when you run The Killbox you are told a particular file doesn't exist, ignore the message and continue with the next file on ths list. Also, some of these utilities are going to end the explorer shell. IF you see that happen, don't be upset. 

Good Luck.


----------



## skylarzook (Feb 20, 2005)

ok. i'm off to work on this. thank you


----------



## skylarzook (Feb 20, 2005)

one q, do i need to be disconnected from the internet for all these steps, or only the first one?


----------



## skylarzook (Feb 20, 2005)

nevermind, i see the reconnect after running lavasoft adaware


----------



## Mosaic1 (Aug 17, 2001)

Perform all steps in Safe mode and with no Modem. Until at the last when I said shut down. Reconect the Modem. Restart into regular windows mode at the very end.


----------



## skylarzook (Feb 20, 2005)

ok. got down to lspfix.exe, which i don't have. where can i get that from(i don't see a link in the earlier list). i did the earlier steps as prescribed, skipped the lspfix, did the adaware, restarted into safe mode with networking, plugged in the ethernet, and am sending out this message. hopefully i haven't really buggered it up.


----------



## Mosaic1 (Aug 17, 2001)

I must not have given yo uthe link. You cn get it on this page. Hopefully since this was neare the end of the instructions, it should be OK. BE sure to sign off agin before you use it.

http://www.cexx.org/lspfix.htm

Do the Ad-Aware and we'll see. Good luck.


----------



## skylarzook (Feb 20, 2005)

ok. so in the temp folder while deleting got the message: cannot delete ~DFSFAA. Access is denied. deleted everything else. nothing shows up in the temp folder now. was able to delete the two folders, but c:\windows\system32\aklsp.dll
c:\windows\system32\dolsp.dll were undeletable using windows explorer. is there another method i can use to delete them?
i'm still in safe mode with networking. did the lspfix. and adaware again, same cool web search came up and got quarantined.


----------



## Mosaic1 (Aug 17, 2001)

If you are online or always on , you cannot delete those files if they are in use. IF you have run the lspfix and removed them from the Registry(That's what it does)then you can use the Killbox to delete on reboot and then restart. Finish up and then post your logs. I'll have another look. If you remove the files and have not yet used lspfix, you need to you will not be able to browse the web.


----------



## skylarzook (Feb 20, 2005)

ok. after startup normal, registry editor pops up with: cannot export back regs\787512CC-1C3C-46B1-BCB4-246234BEFB77.reg Error opening the file. THere may be a disk or file system error. system configuration utlitly then pops up. just closed those.

hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 8:34:09 PM, on 2/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\downloads\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sarah\Application Data\Mozilla\Profiles\default\afqky783.slt\prefs.js)
O2 - BHO: (no name) - {11783622-045F-42F4-9707-500588688C47} - C:\WINDOWS\System32\bdil.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [StartTabletService] tablet s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\Sarah\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Sarah\Desktop\l2mfix\second.bat
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/133c4347d5323b0cc902/netzip/RdxIE601.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\wdvdmod.dll (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## skylarzook (Feb 20, 2005)

here is the l2mfix log

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Sarah\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C access for really "Everyone"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Setting Directory
C:\Documents and Settings\Sarah\Desktop\l2mfix 
C:\Documents and Settings\Sarah\Desktop\l2mfix 
System Rebooted!

Running From:
C:\Documents and Settings\Sarah\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 732 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ddauth.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdusl.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\ddauth.dll 
Successfully Deleted: C:\WINDOWS\system32\ddauth.dll
deleting: C:\WINDOWS\system32\kfdusl.dll 
Successfully Deleted: C:\WINDOWS\system32\kfdusl.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: ddauth.dll (164 bytes security) (deflated 5%)
adding: kfdusl.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 72%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 65%)
adding: reportsun2am.txt (164 bytes security) (deflated 65%)
adding: test.txt (164 bytes security) (deflated 36%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 30%)
adding: backregs/787512CC-1C3C-46B1-BCB4-246234BEFB77.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for really "Everyone"

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ddauth.dll 
deleting local copy: kfdusl.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16]
"DllName"=hex(2):64,00,72,00,63,00,74,00,31,00,36,00,2e,00,64,00,6c,00,6c,00,\
00,00
"Startup"="MeMessager"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"MaxWait"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\wdvdmod.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found: 
****************************************************************************
C:\WINDOWS\system32\ddauth.dll 
C:\WINDOWS\system32\kfdusl.dll

Registry Entries that were Deleted: 
Please verify that the listing looks ok. 
If there was something deleted wrongly there are backups in the backreg folder. 
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{787512CC-1C3C-46B1-BCB4-246234BEFB77}"=-
[-HKEY_CLASSES_ROOT\CLSID\{787512CC-1C3C-46B1-BCB4-246234BEFB77}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E286AC6F-8B65-4DAA-9181-8967555D2F83}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents: 
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{E286AC6F-8B65-4DAA-9181-8967555D2F83}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************



----------



## Mosaic1 (Aug 17, 2001)

I jist signed on. Give me a few minutes to read your posts.


----------



## Mosaic1 (Aug 17, 2001)

I would like a sample of a couple files. If you could create a new folder and copy these into it please:
C:\Documents and Settings\Sarah\n20050308.exe
C:\WINDOWS\System32\ntddetect.exe

Then right click on that folder and choose send to Compressed.
Email as an attachment to me here:
Katie_3232 @hotmail.com

I added a space to the email address. If you remove that space, the address will work.

BRB with and idea or two while you do that.


----------



## Mosaic1 (Aug 17, 2001)

I have attached a zip file. Download it and extract the fixhx.reg file it contains to your desktop.
Sign off and disconnect your modem. This is very important.

Restart into Safe Mode.

Go to Internet Options and empty the Temporary Internet files.
Click the box where it says to delete offline files too.

Run the Killbox:
On the toolbar go to Tools > Delete Temp Files 
Click OK. 
Put a check in the Delete on reboot box.

Copy and paste each of the following paths and click the button like you did before. Do not restart until you have finished entering the last file on the list:

C:\WINDOWS\system32\Tibs3.exe 
C:\WINDOWS\system32\drct16.dll 
C:\WINDOWS\system32\vdmt16.sys 
C:\WINDOWS\system32\winlow.sys 
C:\WINDOWS\system32\WaiZ. 
C:\WINDOWS\system32\w32tm.exe 
C:\Documents and Settings\Sarah\n20050308.exe
C:\WINDOWS\System32\ntddetect.exe

----------------
Restart into Safe mode

Double click on the fixhx.reg you extracted to your desktop.

Run the Killbox:
On the toolbar go to Tools > Delete Temp Files 
Click OK.

Open Windows Explorer and navigate to the C:\Windows\System32 folder 
Right click on an empty space and View >Details
Right click again and click Arrange icons> modified

Look for the following files. They should all have been created around the same date.
Not all may be there. There may be others. Delete them. IF you are not sure, then use the recycle bin and get me a list of what you deleted.

C:\WINDOWS\system32\mszx23.exe 
C:\WINDOWS\system32\Tibs3.exe 
C:\WINDOWS\system32\w32tm.exe 
C:\WINDOWS\system32\drct16.dll 
C:\WINDOWS\system32\cz.dll 
C:\WINDOWS\system32\vdmt16.sys 
C:\WINDOWS\system32\hz.dll 
C:\WINDOWS\system32\winlow.sys 
C:\WINDOWS\system32\wz.dll 
C:\WINDOWS\system32\p2.ini 
C:\WINDOWS\system32\es. 
C:\WINDOWS\system32\WaiZ 
C:\WINDOWS\system32\z 
C:\WINDOWS\system32\I0¢+opes 
C:\WINDOWS\system32\slowIsys 
C:\WINDOWS\system32\zININEwz 
C:\WINDOWS\system32\2Ioso 
C:\WINDOWS\system32\3d 
C:\WINDOWS\system32\|msz

------------

Run Hijackthis and fix any of these you find:
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Sarah\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {11783622-045F-42F4-9707-500588688C47} - C:\WINDOWS\System32\bdil.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [ntechin] C:\Documents and Settings\Sarah\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Sarah\Desktop\l2mfix\second.bat
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/133c434...ip/RdxIE601.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/loader2.ocx
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\wdvdmod.dll (file missing)
*

Delete this folder:
C:\WINDOWS\System32\wsxsvc

Reconnect your modem.

Restart
Run fixhx.reg again 
Update your Anti Virus

Run Ad-Aware

Restart.

Run Hijackthis and post the new log.


----------



## Mosaic1 (Aug 17, 2001)

When you are sorting those files for deletion, remember they will all have been created around the same time and if you right click on one and choose properties,you likely will not see a version tab.


----------



## skylarzook (Feb 20, 2005)

just got your messages, sent a zip of the file i found and about to go through the above suggestions. cheerio!


----------



## Mosaic1 (Aug 17, 2001)

Thanks for the files. I'll have a look and send them to the AV's if anything new. I'll be around for about another half hour. As soon as possible you should get off the internet. Download the attachment and copy the directions to notepad. These nasties are downloaders. You don't want to pick up anything new.

Good luck. I'll see you later. If not tonight then tomorrow.


ntdll.dll is am iomportatn Windows system file. They love to name some of their files close to real files to scare you.


----------



## Mosaic1 (Aug 17, 2001)

I see you are still here. Please sign off and disconnect 
that Modem. You have a Trojan running in the background.

As the instructions say, restart before you begin.

The file you sent is a known. The longer you stay here the more files it might download and install. Copy the instructions and study them while you are disconnected. Not here on line.


----------



## skylarzook (Feb 20, 2005)

here's the log file after the process.

Logfile of HijackThis v1.99.1
Scan saved at 1:56:53 AM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\downloads\hijackthis\hijackthis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Sarah\Application Data\Mozilla\Profiles\default\afqky783.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [StartTabletService] tablet s
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted IP range: 213.159.117.202
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe


----------



## Mosaic1 (Aug 17, 2001)

That is incredibly impressive! I would recommend that you now change all passwords and sensitive information you have on the computer. Any banking or even Forum passwords etc. And your personal password to get into windows if you have one.

You did a great job. It looks clean except for one thing which Hijackthis has trouble cleaning.

O15 - Trusted IP range: 213.159.117.202

Have a look in Internet Options>Security tab
Click the Trusted Zones Icon and then wait a second for the Sites Button to become active.

Highlight the entry and then click the remove button.

Double check to be sure it is gone.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp 
http://www.pandasoftware.com/activescan/

Allow them to clean
-----------

Check to be sure your Recycle Bin is in working order. Sometimes the VX2 infection can cause problems with that.
-----------
Once you have completed all of the other steps and you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.

After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html

Are you able to run in regular Windows mode now and browse the internet normally?


----------



## skylarzook (Feb 20, 2005)

it's looking good so far! i'm feeling a lot better too! thank you very much...
here's the run down of what i deleted and didn't delete. maybe it will help explain. some of those files were from 2001 ish. also noticed a bunch of files made the day i got hit bad, right around three pm. i'm wondering if they could be problems also. there's a list below.

Deleted Files:

C:\WINDOWS\system32\mszx23.exe
C:\WINDOWS\system32\w32tm.exe
C:\WINDOWS\system32\cz.dll
also saw a kbdcz.dll, didn't delete
C:\WINDOWS\system32\hz.dll
also saw authz.dll, didn't delete, same date
C:\WINDOWS\system32\wz.dll
saw fxscfgwz.dll, didn't delete, same date
C:\WINDOWS\system32\p2.ini
tried to delete es.dll, access denied, since just listed as es. , didn't pursue with killbox

only one with 3d in it ps.a3d, didn't delete, from few minutes ago 12:35 am

on day noticed things going wrong, saturday, these arrived
dktibs.exe
akupd.dll
akcore.dll
akrules.dll
SpOrder.dll
dosync.dll
docore.dll
perflibs__


and there's an ugly little exe that's sitting in my c drive right now with this girl icon that looks like she might be a vampire. 125021.exe I'm kind of spooked out to touch it, silly as that is. this is probably the beginning of a beautiful paranoia. i should just delete it regular style right?


----------



## Mosaic1 (Aug 17, 2001)

Go ahead and delete that nasty with the lovely icon.

You made the right choice inthe forst group. The idea is to seeif the are nasties or not. A good right click to see if there's a version tab is a good way to spot a problem.

Second group are all VX2 files. Go ahead and delete these:
dktibs.exe
akupd.dll
akcore.dll
akrules.dll
SpOrder.dll
dosync.dll
docore.dll

 Anything you are still unsure of, you can upload and have scanned to see if anything is spotted:
http://virusscan.jotti.dhs.org/


----------



## skylarzook (Feb 20, 2005)

I want to thank you very very much for all your help. My computer is clean and behaving itself so nicely. It's plain-out true that I couldn't have done it without you. And I now know much more about my computer. So I really appreciate it. I hope many good things come your way, and that help comes around to you whenever you need it.

All my best,
Thank you,
Sarah


----------



## Mosaic1 (Aug 17, 2001)

Hi Sarah,

You're welcome. A lot of good work was done by others to find the cure for this. I just was lucky to find and be able to use their work.

Thanks. Take care,

Mo


----------



## $teve (Oct 9, 2001)

Closing thread........nice work Katie,Im working on the *se.dll* in another forum
so this probably helps me out too.
Sarah,if you need this re-opening just PM one of the mods.


----------

