# Last resort is complete wipe



## proteus451 (Dec 9, 2003)

I have read many of the threads and followed suggestions on cleaning my system. I am posting the various logs for your review. I hope you can help. My next step is a complete wipe of everything. Sorry if too long and too many logs.

Thanks in advance!

Spybot report:
--- Search result list ---
DaRu.Revolto: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys

KeenValue.eUniverse.MyFreeCursors: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater

System1060: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST

Common Dialogs: History ( (2 files)) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Internet Explorer: AutoComplete data ( (36 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Internet Explorer\IntelliForms\SPW

Internet Explorer: Cookies ( (1 cookies)) (Directory, nothing done)
C:\Documents and Settings\Kelly & Chris\Cookies

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Internet Explorer\Download Directory=

Internet Explorer: Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Internet Explorer\Main\Save Directory=

Internet Explorer: Temporary internet files ( (120 entries)) (Empty cache, nothing done)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

MGI Photo Suite 8.x: Recent lists ( (16 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\MGI\PhotoSuite\8.05\CurrentConfig

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\DirectInput\MostRecentApplication\Name=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\DirectInput\MostRecentApplication\Id=

MS Media Player: Application data file ( ()) (File, nothing done)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Save as Directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MediaPlayer\Player\Settings\SaveAsDir=

MS Office 9.0 (Excel): Recent files ( (4 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Excel\Recent Files

MS Office 9.0 (Outlook): Imported/exported element history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Outlook\DataViz

MS Office 9.0 (Outlook): Location history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Outlook\Preferences\LocationMRU

MS Office 9.0 (Script Editor): Last loaded solution (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MSE\9.0\LastLoadedSolution=

MS Office 9.0 (Script Editor): Last new project item location (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MSE\9.0\DefaultNewProjItemLocation=

MS Office 9.0 (Script Editor): Last new project item location (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MSE\9.0\DefaultNewProjItemLocation=

MS Office 9.0 (Script Editor): Last new project item location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultNewProjItemLocation=

MS Office 9.0 (Script Editor): Last new project location (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MSE\9.0\DefaultNewProjectLocation=

MS Office 9.0 (Script Editor): Last new project location (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MSE\9.0\DefaultNewProjectLocation=

MS Office 9.0 (Script Editor): Last new project location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultNewProjectLocation=

MS Office 9.0 (Script Editor): Last opened file location (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MSE\9.0\DefaultFileOpenLocation=

MS Office 9.0 (Script Editor): Last opened file location (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MSE\9.0\DefaultFileOpenLocation=

MS Office 9.0 (Script Editor): Last opened file location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultFileOpenLocation=

MS Office 9.0 (Script Editor): Last opened project item location (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MSE\9.0\DefaultOpenProjItemLocation=

MS Office 9.0 (Script Editor): Last opened project item location (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MSE\9.0\DefaultOpenProjItemLocation=

MS Office 9.0 (Script Editor): Last opened project item location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultOpenProjItemLocation=

MS Office 9.0 (Script Editor): Last opened project location (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MSE\9.0\DefaultOpenProjectLocation=

MS Office 9.0 (Script Editor): Last opened project location (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\MSE\9.0\DefaultOpenProjectLocation=

MS Office 9.0 (Script Editor): Last opened project location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultOpenProjectLocation=

MS Office 9.0 (Word): Recently used file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 9.0: Access recent file ( (27 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Access\Settings

MS Office 9.0: Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Common\Internet\UseRWHlinkNavigation

MS Office 9.0: Internet history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

MS Office 9.0: Recently used files ( (6 files)) (Directory, nothing done)
C:\Documents and Settings\Kelly & Chris\Application Data\Microsoft\Office\Recent\

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Search Assistant\ACMru

MS Wordpad: Recent file list ( (2 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Windows Explorer: Last Copy/MoveTo folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Explorer: Last visited history ( (2 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Network map history ( (4 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Recently opened files ( (2 links)) (Directory, nothing done)
C:\Documents and Settings\Kelly & Chris\Recent

Windows Explorer: Stream history ( (26 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: User Assistant history files ( (261 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: User Assistant history IE ( (103 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName=ComputerName

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows Media\WMSDK\General\UniqueID={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID={00000000-0000-0000-0000-000000000000}

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows.OpenWith: Open with list - .ASX extension ( (2 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: Open with list - .AVI extension ( (3 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: Open with list - .BMP extension ( (3 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .CHF extension ( (2 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHF\OpenWithList

Windows.OpenWith: Open with list - .CSV extension ( (4 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\directories\gzAddDir=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\directories\AddDir=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\directories\zDefDir=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\directories\DefDir=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\directories\gzExtractTo=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\directories\ExtractTo=

WinZip: Number of times run (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\rrs\Opened=

WinZip: Recent created file list ( (15 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\filemenu

WinZip: Recent extracted file list ( (10 files)) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1343024091-854245398-1004\Software\Nico Mak Computing\WinZip\extract

--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-11-05 Includes\Dialer.sbi
2003-11-24 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-11-20 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-11-12 Includes\QA Tests.sbi
2003-11-05 Includes\Security.sbi
2003-11-24 Includes\Spybots.sbi
2003-11-21 Includes\Temporary.sbi
2003-11-05 Includes\Tracks.uti
2003-11-21 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP1: Windows XP Hotfix - KB823980
/ Windows XP / SP1: Windows XP Service Pack 1a
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q328310
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q331953
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811493
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q815021
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP2: Windows XP Hotfix - KB282010
/ Windows XP / SP2: Advanced Networking Pack for Windows XP
/ Windows XP / SP2: Windows XP Hotfix - KB820291
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB822603
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB823980
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB824141
/ Windows XP / SP2: Windows XP Hotfix - KB824146
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB828035
/ Windows XP / SP2: Windows XP Hotfix - KB829558
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814995
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606

--- Startup entries list ---
Spybot-S&D Startup list report, 12/8/2003 5:49:23 PM

Located: HK_CU:Run, TaskTray
file: C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
MD5: DD12FA3C35B37B595FA66D8494E54ABD

Located: HK_CU:Run, Weather
file: C:\Program Files\AWS\WeatherBug\Weather.exe 1

Located: HK_CU:Run, NvMediaCenter
file: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

Located: HK_CU:Run, quicken
file: C:\WINDOWS\quicken.exe
MD5: C4457CC7F9888E76140A508338C1C6C8

Located: HK_CU:Run, editpad
file: C:\WINDOWS\editpad.exe
MD5: B5E1C445FB415BD835EFE8D1A21470C5

Located: HK_CU:Run, rundll32
file: c:\windows\rundll32.exe

Located: HK_LM:Run, SoundMan
file: SOUNDMAN.EXE

Located: HK_LM:Run, Disc Detector
file: C:\Program Files\Creative\ShareDLL\CtNotify.exe
MD5: E1119A997FD21B8230B0A69DCF620476

Located: HK_LM:Run, CTStartup
file: C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

Located: HK_LM:Run, Jet Detection
file: C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
MD5: EB3544241A8C9ADB787FFC1BFD591CB4

Located: HK_LM:Run, NvCplDaemon
file: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

Located: HK_LM:Run, nwiz
file: nwiz.exe /install

Located: HK_LM:Run, BJCFD
file: C:\Program Files\BroadJump\Client Foundation\CFD.exe
MD5: BA9AF06103549A96F77036861FDE357B

Located: HK_LM:Run, ccApp
file: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Located: HK_LM:Run, ccRegVfy
file: "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Located: HK_LM:Run, Advanced Tools Check
file: D:\SAVEFI~1\Programs\Norton\AdvTools\ADVCHK.EXE
MD5: BB9F8399D4E16ED2BCBA2EC138E47139

Located: HK_LM:Run, HPHmon04
file: C:\WINDOWS\System32\hphmon04.exe
MD5: 2F593E885B1539384AFEB79BFA211A66

Located: HK_LM:Run, Share-to-Web Namespace Daemon
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
MD5: 2F2BC80803F0638F6738E37F769E4BD0

Located: HK_LM:Run, Soundmx
file: \soundmx.exe
MD5: 1164EEC27F403ABAC140344F7410F2D7

Located: HK_LM:Run, Ad-watch
file: "D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-watch.exe"

Located: HK_LM:Run, Ad-aware
file: "D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-aware.exe" +c

Located: HK_LM:Run, HPDJ Taskbar Utility
file: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
MD5: 2D9CE5DDE52CEEA539E0DD20735A0797

Located: HK_LM:Run, UpdReg
file: C:\WINDOWS\Updreg.exe
MD5: C419DF63E0121D72411285780C2FC6CC

Located: HK_LM:Run, POINTER
file: point32.exe

Located: HK_LM:Run, HPHUPD04
file: "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

Located: HK_LM:Run, winmain
file: winmain.exe

Located: HK_LM:Run, Svchost
file: C:\WINDOWS\winhost.exe

Located: HK_LM:Run, 4DXX2QM2GB4BMW
file: C:\WINDOWS\System32\NuzK63G.exe
MD5: D2434001B1B2C79F4CA1934271CBA6C3

Located: HK_LM:Run, tgcmdprovidersbc
file: "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

Located: HK_LM:Run, sys
file: regedit /s sys.reg

Located: HK_LM:Run, updater
file: C:\Program Files\Common files\updater\wupdater.exe

Located: HK_LM:Run, tgcmdprovidersbc (DISABLED)
file: "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

Located: HK_LM:Run, 4DXX2QM2GB4BMW (DISABLED)
file: C:\WINDOWS\System32\NuzK63G.exe
MD5: D2434001B1B2C79F4CA1934271CBA6C3

Located: HK_LM:Run, updater (DISABLED)
file: C:\Program Files\Common files\updater\wupdater.exe

Located: HK_LM:Run, UpdReg (DISABLED)
file: C:\WINDOWS\Updreg.exe
MD5: C419DF63E0121D72411285780C2FC6CC

Located: HK_LM:Run, Svchost (DISABLED)
file: C:\WINDOWS\winhost.exe

Located: Startup (common), HotSync Manager.lnk
file: D:\Palm\HOTSYNC.EXE
MD5: 47233F2ABB77FB6F456202937F29211D

Located: Startup (common), Microsoft Office.lnk
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
MD5: B9E0369CB62C7BA3731A471E91E43FB9

Located: Startup (common), PowerReg Scheduler.exe
file:

Located: win.ini, Run
file: fntldr.exe

--- Browser helper object list ---
Spybot-S&D Browser helper object report, 12/8/2003 5:49:24 PM

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Class file: AcroIEHelper.ocx
Attributes: 
Date: 3/2/2001 11:02:04 AM
MD5: 8394ABFC1BE196A62C9F532511936DF7
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Short name: ACROIE~1.OCX
Size: 37808 bytes
Version: 0.1.0.0
Class name: AcroIEHlprObj Class
CLSID database: legitimate software
Description: Adobe Acrobat reader
Filename: ACROIEHELPER.OCX

{53707962-6F74-2D53-2644-206D7942484F}
Class file: SDHelper.dll
Attributes: archive 
Date: 3/16/2003 1:02:00 AM
MD5: 423CBD3CFAEEB62C5C97A9449567B474
Path: C:\PROGRA~1\SPYBOT~1\
Short name: 
Size: 711168 bytes
Version: 255.255.255.255
CLSID database: legitimate software
Description: Spybot-S&D IE Browser plugin
Filename: SDHelper.dll

{BDF3E430-B101-42AD-A544-FADC6B084872}
Class file: NavShExt.dll
Attributes: archive 
Date: 11/14/2002 11:09:06 PM
MD5: 988409CE6ED638AAFDBECFB6EC863F4F
Path: D:\SAVE FILES\Programs\Norton\
Short name: 
Size: 112248 bytes
Version: 0.9.0.5
Class name: CNavExtBho Class
CLSID database: legitimate software
Description: Norton Antivirus
Filename: NavShExt.dll
Name: NAV Helper

--- ActiveX list ---
Spybot-S&D ActiveX report, 12/8/2003 5:49:24 PM

Microsoft XML Parser for Java
Download location: file://C:\WINDOWS\Java\classes\xmldso.cab
Name: Microsoft XML Parser for Java
Version: 1,0,9,2

{0000000A-9980-0010-8000-00AA00389B71}
Download location: http://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
Last modified: Thu, 12 Dec 2002 21:28:24 GMT
Version: 0,0,0,1

{0E5F0222-96B9-11D3-8997-00104BD12D94}
Class file: PCPITS~1.DLL
Attributes: archive 
Date: 9/2/2003 10:52:30 AM
MD5: BCA44EAEFCEA0133B35551664570351F
Path: C:\WINDOWS\DOWNLO~1\
Short name: PCPITS~1.DLL
Size: 249856 bytes
Version: 0.1.0.0
Class name: PCPitstop Utility
CLSID database: unknown class
Description: Gateway tools
Filename: PCPITSTOP.DLL
Contains file: DiskFAU.dll
Attributes: archive 
Date: 4/18/2003 1:59:44 PM
MD5: 5689C59C70EC84831FFFDAD1DAA8DA3A
Path: C:\WINDOWS\Downloaded Program Files\
Short name: 
Size: 53248 bytes
Version: 0.1.0.0
Contains file: pcpbios.exe
Attributes: archive 
Date: 3/14/2002 1:00:26 PM
MD5: 68C5BB8A734A1C6F38705E61923C3317
Path: C:\WINDOWS\System32\
Short name: 
Size: 38567 bytes
Version: 255.255.255.255
Contains file: PCPitstop.dll
Attributes: archive 
Date: 9/2/2003 10:52:30 AM
MD5: BCA44EAEFCEA0133B35551664570351F
Path: C:\WINDOWS\Downloaded Program Files\
Short name: PCPITS~1.DLL
Size: 249856 bytes
Version: 0.1.0.0
Contains file: sysres.dll
Attributes: archive 
Date: 8/16/1998 6:00:00 AM
MD5: 4DB16572BB9FC4EC4840EF55FB91F375
Path: C:\WINDOWS\System32\
Short name: 
Size: 4096 bytes
Version: 255.255.255.255
Download location: http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
Last modified: Tue, 02 Sep 2003 15:03:17 GMT
Version: 1,0,0,121

{166B1BCA-3F9C-11CF-8075-444553540000}
Class file: SwDir.dll
Attributes: archive 
Date: 2/11/2003 5:02:58 AM
MD5: 92FA0AE21D3A08B65D291724AA7D0E43
Path: C:\WINDOWS\system32\Macromed\Director\
Short name: 
Size: 32768 bytes
Version: 0.8.0.5
Class name: Shockwave ActiveX Control
CLSID database: unknown class
Description: Macromedia ShockWave Flash Player 7
Filename: SWDIR.DLL
Download location: http://active.macromedia.com/director/cabs/sw.cab
Last modified: Tue, 08 Oct 2002 18:22:24 GMT
Version: 8,5,1,102

{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
Class file: MiniBugTransporter.dll
Attributes: archive 
Date: 8/25/2003 4:30:34 PM
MD5: E42E5239BE7AD0DEF74AB75CB97A8CC3
Path: C:\WINDOWS\Downloaded Program Files\
Short name: MINIBU~1.DLL
Size: 352256 bytes
Version: 0.2.0.0
Class name: MiniBugTransporterX Class
Contains file: MiniBugTransporter.dll
Attributes: archive 
Date: 8/25/2003 4:30:34 PM
MD5: E42E5239BE7AD0DEF74AB75CB97A8CC3
Path: C:\WINDOWS\Downloaded Program Files\
Short name: MINIBU~1.DLL
Size: 352256 bytes
Version: 0.2.0.0
Download location: http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
Last modified: Mon, 25 Aug 2003 21:44:04 GMT
Version: 2,0,0,8

{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
Class file: yinsthelper.dll
Attributes: archive 
Date: 7/29/2002 9:00:56 AM
MD5: FAE22CCE0441499804CA279AF385F14F
Path: C:\WINDOWS\Downloaded Program Files\
Short name: YINSTH~1.DLL
Size: 94284 bytes
Version: 7.210.0.7
Class name: YInstStarter Class
Contains file: yinsthelper.dll
Attributes: archive 
Date: 7/29/2002 9:00:56 AM
MD5: FAE22CCE0441499804CA279AF385F14F
Path: C:\WINDOWS\Downloaded Program Files\
Short name: YINSTH~1.DLL
Size: 94284 bytes
Version: 7.210.0.7
Download location: http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
Last modified: Tue, 10 Sep 2002 21:42:04 GMT
Version: 2002,7,29,1

{33564D57-9980-0010-8000-00AA00389B71}
Download location: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
Last modified: Thu, 12 Dec 2002 21:29:19 GMT
Version: 0,0,0,1

{78AF2F24-A9C3-11D3-BF8C-0060B0FCC122}
Class file: ACDCTO~1.OCX
Attributes: archive 
Date: 4/23/2001 1:59:22 AM
MD5: 3D950983CBFAC3A1AA35696810C2E9BF
Path: C:\WINDOWS\DOWNLO~1\
Short name: ACDCTO~1.OCX
Size: 54896 bytes
Version: 0.15.0.0
Class name: AcDcToday Control
Contains file: AcDcToday.ocx
Attributes: archive 
Date: 4/23/2001 1:59:22 AM
MD5: 3D950983CBFAC3A1AA35696810C2E9BF
Path: C:\WINDOWS\Downloaded Program Files\
Short name: ACDCTO~1.OCX
Size: 54896 bytes
Version: 0.15.0.0
Download location: file://E:\AutoCAD 2002\AcDcToday.ocx
Version: 15,0,6,30

{9F1C11AA-197B-4942-BA54-47A8489BB47F}
Class file: iuctl.dll
Attributes: archive 
Date: 8/25/2003 5:06:50 PM
MD5: 8757E24D6B002FD7E9EF3A6DF697BA57
Path: C:\WINDOWS\System32\
Short name: 
Size: 115808 bytes
Version: 0.5.0.4
Class name: Update Class
CLSID database: legitimate software
Description: Windows Update
Filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
Contains file: iuctl.dll
Attributes: archive 
Date: 8/25/2003 5:06:50 PM
MD5: 8757E24D6B002FD7E9EF3A6DF697BA57
Path: C:\WINDOWS\System32\
Short name: 
Size: 115808 bytes
Version: 0.5.0.4
Contains file: iuengine.dll
Attributes: archive 
Date: 8/25/2003 5:06:50 PM
MD5: 6B43E283AF93D9823D7B69D9766AB4E9
Path: C:\WINDOWS\System32\
Short name: 
Size: 182880 bytes
Version: 0.5.0.4
Download location: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.8137615741
Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Version: 5,4,3790,14

{AE563720-B4F5-11D4-A415-00108302FDFD}
Class file: InstBanr.ocx
Attributes: archive 
Date: 4/23/2001 1:59:24 AM
MD5: 7F9441FAF5865B07DAC75EDB1DEFF408
Path: C:\WINDOWS\DOWNLO~1\
Short name: 
Size: 108088 bytes
Version: 0.1.0.0
Class name: NOXLATE-BANR
Contains file: InstBanr.ocx
Attributes: archive 
Date: 4/23/2001 1:59:24 AM
MD5: 7F9441FAF5865B07DAC75EDB1DEFF408
Path: C:\WINDOWS\Downloaded Program Files\
Short name: 
Size: 108088 bytes
Version: 0.1.0.0
Download location: file://E:\AutoCAD 2002\InstBanr.ocx
Version: 1,0,0,15

{C6637286-300D-11D4-AE0A-0010830243BD}
Class file: InstFred.ocx
Attributes: archive 
Date: 4/23/2001 1:59:24 AM
MD5: 7277DB945E523480C7B23DC718B192C3
Path: C:\WINDOWS\DOWNLO~1\
Short name: 
Size: 276024 bytes
Version: 0.1.0.0
Class name: InstaFred
Contains file: InstFred.ocx
Attributes: archive 
Date: 4/23/2001 1:59:24 AM
MD5: 7277DB945E523480C7B23DC718B192C3
Path: C:\WINDOWS\Downloaded Program Files\
Short name: 
Size: 276024 bytes
Version: 0.1.0.0
Download location: file://E:\AutoCAD 2002\InstFred.ocx
Version: 1,0,3,12

{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}
Class file: SymAData.dll
Attributes: archive 
Date: 7/11/2003 8:52:36 PM
MD5: 509273596B62B1533B6AD1544704A043
Path: C:\WINDOWS\Downloaded Program Files\
Short name: 
Size: 124112 bytes
Version: 0.1.0.0
Class name: ActiveDataInfo Class
Contains file: SymAData.dll
Attributes: archive 
Date: 7/11/2003 8:52:36 PM
MD5: 509273596B62B1533B6AD1544704A043
Path: C:\WINDOWS\Downloaded Program Files\
Short name: 
Size: 124112 bytes
Version: 0.1.0.0
Download location: https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
Last modified: Wed, 02 Jul 2003 14:33:00 GMT
Version: 1,0,0,1

{D27CDB6E-AE6D-11CF-96B8-444553540000}
Class file: Flash.ocx
Attributes: archive 
Date: 9/4/2003 2:17:58 PM
MD5: B414D4BA7BFB6218AE6B224B46C81D60
Path: C:\WINDOWS\System32\macromed\flash\
Short name: 
Size: 917504 bytes
Version: 0.7.0.0
Class name: Shockwave Flash Object
CLSID database: legitimate software
Description: Macromedia Shockwave Flash Player
Download location: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Last modified: Fri, 05 Sep 2003 18:36:03 GMT
Version: 7,0,14,0

{E77C0D62-882A-456F-AD8F-7C6C9569B8C7}
Class file: ActiveData.dll
Attributes: archive 
Date: 6/12/2002 12:16:22 PM
MD5: C0A5720A581109543B113A8BEAE7868C
Path: C:\WINDOWS\Downloaded Program Files\
Short name: ACTIVE~1.DLL
Size: 112312 bytes
Version: 0.1.0.0
Class name: ActiveDataObj Class
Contains file: ActiveData.dll
Attributes: archive 
Date: 6/12/2002 12:16:22 PM
MD5: C0A5720A581109543B113A8BEAE7868C
Path: C:\WINDOWS\Downloaded Program Files\
Short name: ACTIVE~1.DLL
Size: 112312 bytes
Version: 0.1.0.0
Download location: https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Last modified: Fri, 10 Jan 2003 19:42:30 GMT
Version: 1,0,0,1

{F281A59C-7B65-11D3-8617-0010830243BD}
Class file: ACPREV~1.OCX
Attributes: archive 
Date: 4/23/2001 1:59:14 AM
MD5: E24D3B63BC9AA3FC9C0ED1871B7B4FE7
Path: C:\WINDOWS\DOWNLO~1\
Short name: ACPREV~1.OCX
Size: 120440 bytes
Version: 0.15.0.0
Class name: AcPreview Control
Contains file: AcPreview.ocx
Attributes: archive 
Date: 4/23/2001 1:59:14 AM
MD5: E24D3B63BC9AA3FC9C0ED1871B7B4FE7
Path: C:\WINDOWS\Downloaded Program Files\
Short name: ACPREV~1.OCX
Size: 120440 bytes
Version: 0.15.0.0
Download location: file://E:\AutoCAD 2002\AcPreview.ocx
Version: 15,0,6,30

--- Process list ---
Spybot-S&D process list report, 12/8/2003 5:49:24 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 136 (1972) D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-watch.exe
PID: 192 (1972) C:\WINDOWS\System32\hphmon04.exe
PID: 224 (1972) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PID: 244 (1532) C:\WINDOWS\System32\svchost.exe
PID: 340 (1736) C:\Program Files\Creative\ShareDLL\MediaDet.Exe
PID: 344 (1532) C:\WINDOWS\System32\nvsvc32.exe
PID: 508 (1972) C:\WINDOWS\SOUNDMAN.EXE
PID: 540 (1972) C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
PID: 564 (1736) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PID: 588 (1532) svchost.exe
PID: 648 (1532) svchost.exe
PID: 776 (1532) C:\WINDOWS\System32\MsPMSPSv.exe
PID: 972 (1972) C:\Program Files\Creative\ShareDLL\CtNotify.exe
PID: 992 (1972) C:\Program Files\Microsoft Hardware\Mouse\point32.exe
PID: 1104 (1532) C:\WINDOWS\system32\spoolsv.exe
PID: 1144 (1532) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1208 (1972) C:\program files\support.com\bin\tgcmd.exe
PID: 1232 (1972) C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
PID: 1276 (1972) C:\Program Files\AWS\WeatherBug\Weather.exe
PID: 1344 (1972) C:\WINDOWS\System32\RUNDLL32.EXE
PID: 1392 ( 4) \SystemRoot\System32\smss.exe
PID: 1444 (1392) csrss.exe
PID: 1468 (1392) \??\C:\WINDOWS\system32\winlogon.exe
PID: 1532 (1468) C:\WINDOWS\system32\services.exe
PID: 1544 (1468) C:\WINDOWS\system32\lsass.exe
PID: 1548 (1532) alg.exe
PID: 1736 (1532) C:\WINDOWS\system32\svchost.exe
PID: 1776 (1532) C:\WINDOWS\System32\CTsvcCDA.EXE
PID: 1808 (1532) D:\SAVE FILES\Programs\Norton\navapsvc.exe
PID: 1836 (1532) D:\SAVE FILES\Programs\Norton\AdvTools\NPROTECT.EXE
PID: 1880 (1972) D:\Palm\HOTSYNC.EXE
PID: 1972 (1952) C:\WINDOWS\Explorer.EXE
PID: 2016 (1972) C:\Program Files\BroadJump\Client Foundation\CFD.exe
PID: 2024 (1972) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 2796 (1972) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3264 (3252) C:\WINDOWS\System32\Ayn5vFKM.exe
PID: 3272 (3264) C:\WINDOWS\System32\Ayn5vFKM.exe

--- Browser start & search pages list ---
Spybot-S&D browser pages report, 12/8/2003 5:49:24 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\@
69.61.38.52
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Spybot-S&D winsock LSP report, 12/8/2003 5:49:24 PM

NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC})
NS Provider ( 3) Network Location Awareness (NLA) Namespace ({6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83})
Protocol ( 1) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 2) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 3) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 4) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 5) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 6) MSAFD NetBIOS [\Device\NetBT_Tcpip_{3111454E-C950-4A57-A1A9-3D5EF1E11ECD}] SEQPACKET 8 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 7) MSAFD NetBIOS [\Device\NetBT_Tcpip_{3111454E-C950-4A57-A1A9-3D5EF1E11ECD}] DATAGRAM 8 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 8) MSAFD NetBIOS [\Device\NetBT_Tcpip_{90C583E0-7EB1-475D-9863-A6A50754A5E2}] SEQPACKET 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 9) MSAFD NetBIOS [\Device\NetBT_Tcpip_{90C583E0-7EB1-475D-9863-A6A50754A5E2}] DATAGRAM 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (10) MSAFD NetBIOS [\Device\NetBT_Tcpip_{589A8510-885F-4411-A730-E5B0F7C0AF3B}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (11) MSAFD NetBIOS [\Device\NetBT_Tcpip_{589A8510-885F-4411-A730-E5B0F7C0AF3B}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (12) MSAFD NetBIOS [\Device\NetBT_Tcpip_{419B3364-09AC-456E-8AA6-6D9C9AC445AB}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (13) MSAFD NetBIOS [\Device\NetBT_Tcpip_{419B3364-09AC-456E-8AA6-6D9C9AC445AB}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (14) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D322BAE0-75ED-4D92-8D10-1882BAC234F1}] SEQPACKET 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (15) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D322BAE0-75ED-4D92-8D10-1882BAC234F1}] DATAGRAM 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (16) MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F293C16-B97B-4395-A2BD-D91B579E72A0}] SEQPACKET 6 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (17) MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F293C16-B97B-4395-A2BD-D91B579E72A0}] DATAGRAM 6 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (18) MSAFD NetBIOS [\Device\NetBT_Tcpip_{98CBBFBD-5B69-4E3E-8F0B-B1A46E59F468}] SEQPACKET 7 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (19) MSAFD NetBIOS [\Device\NetBT_Tcpip_{98CBBFBD-5B69-4E3E-8F0B-B1A46E59F468}] DATAGRAM 7 ({8D5F1830-C273-11CF-95C8-00805F48A192})

Hijackthis log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
D:\SAVE FILES\Programs\Norton\navapsvc.exe
D:\SAVE FILES\Programs\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\Ayn5vFKM.exe
C:\WINDOWS\System32\Ayn5vFKM.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\SAVE FILES\Programs\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\SAVE FILES\Programs\Norton\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\SAVE FILES\Programs\Norton\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\SAVEFI~1\Programs\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Ad-watch] "D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Ad-aware] "D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [4DXX2QM2GB4BMW] C:\WINDOWS\System32\NuzK63G.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\winhost.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
O4 - HKCU\..\Run: [rundll32] c:\windows\rundll32.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.8137615741
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCAD 2002\AcPreview.ocx


----------



## Flrman1 (Jul 26, 2002)

Hi proteus451

Welcome to TSG! 

You have the peper.a trojan, a CWS hijack, and more.

To remove peper:

First run This uninstaller:

http://home01.wxs.nl/~kleyn080/uninst.exe

Next, use the following tool to delete the files themselves:

http://www.mjc1.com/files/mo/drpeper.html
Download it, it will self extract to c:\.

Navigate to:

C:\drpeper\Find backup and Delete Peper files.vbs

Doubleclick the....... Find backup and Delete Peper files.vbs file

On the first prompt copy and paste:

Ayn5vFKM.exe

And hit ok.

On the second, paste:

NuzK63G.exe

And hit ok.

It will find all the peper files and delete them. Also it makes backups in the same folder.
It will open a text file (Peper.txt) with a list of all files deleted.

To remove CWS:

Click on the link below and it will download CWShredder. Close all browser windows, click on the cwshredder.exe then click "Next" (Not "Scan only") and let it do it's thing.

http://www.spywareinfo.com/~merijn/junk/CWShredder.exe

When it is finished restart your computer.

I strongly recommend you install the folowing patches for the vulnerabilities that this hijacker exploits:

http://www.microsoft.com/security/security_bulletins/ms03-011.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp

When finished go to the C:\drpeper folder and locate the peper.txt file. Copy and paste the list from the Peper.txt file here , along with another Hijack This log.


----------



## proteus451 (Dec 9, 2003)

Thanks! This removed alot. Can you look at the new file and see if there is anything else to remove? It is only the Hijackthis.log. If you want to see the spyware or adaware files, let me know.

thanks

Logfile of HijackThis v1.97.7
Scan saved at 8:36:57 PM, on 12/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
D:\SAVE FILES\Programs\Norton\navapsvc.exe
D:\SAVE FILES\Programs\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\SAVE FILES\Programs\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\SAVE FILES\Programs\Norton\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\SAVE FILES\Programs\Norton\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\SAVEFI~1\Programs\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Ad-watch] "D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Ad-aware] "D:\SAVE FILES\Programs\Ad-Aware\Ad-aware 6\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [4DXX2QM2GB4BMW] C:\WINDOWS\System32\NuzK63G.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\winhost.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
O4 - HKCU\..\Run: [rundll32] c:\windows\rundll32.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.8137615741
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCAD 2002\AcPreview.ocx


----------



## Flrman1 (Jul 26, 2002)

I don't need to see the other logs, but I do need you to go to the C:drpeper folder and locate the peper.txt file and copy and paste it's contents here.

While you do that I'll look through this Hijack This log. You do have some things there that need removing also.


----------



## proteus451 (Dec 9, 2003)

Here you go. Thanks again.

12/8/2003 8:14:55 PM
C:\WINDOWS\system32\Ajh6KY6.exe
C:\WINDOWS\system32\Ayn5vFKM.exe
C:\WINDOWS\system32\Ieqm1D4c.exe
C:\WINDOWS\system32\LpbO5vGL.exe
C:\WINDOWS\system32\TqtPz.exe
C:\WINDOWS\system32\XrkInpex.exe
12/8/2003 8:15:06 PM
C:\WINDOWS\system32\Hcj2s6.exe
C:\WINDOWS\system32\NuzK63G.exe
C:\WINDOWS\system32\Yknt4Q.exe


----------



## Flrman1 (Jul 26, 2002)

OK the peper.txt file is good. Go ahead and delete the C:\drpeper folder.

Some of the files we are going to delete may be hidden files so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK"

Run Hijack This again and put a check by these. Close all windows except HijackThis and "Fix checked"

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [winmain] winmain.exe

O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

O4 - HKLM\..\Run: [4DXX2QM2GB4BMW] C:\WINDOWS\System32\NuzK63G.exe

O4 - HKLM\..\Run: [sys] regedit /s sys.reg

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\winhost.exe

O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe

O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe

O4 - HKCU\..\Run: [rundll32] c:\windows\rundll32.exe

Restart to safe mode and delete:

The C:\WINDOWS\editpad.exe file
The C:\WINDOWS\quicken.exe file
The C:\WINDOWS\winhost.exe file
The :\Program Files\Common files\updater folder

See here for starting to safe mode if you don't know how:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Boot back to normal.

Empty the recycle Bin.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

When you are sure you are clean turn it back on and create a restore point.

Go here and do an online virus scan:

http://housecall.trendmicro.com/


----------



## proteus451 (Dec 9, 2003)

I've completed everything you suggested. Mind taking a look at the hijackthis log again to make sure?


----------



## proteus451 (Dec 9, 2003)

Logfile of HijackThis v1.97.7
Scan saved at 10:07:12 PM, on 12/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
D:\SAVE FILES\Programs\Norton\navapsvc.exe
D:\SAVE FILES\Programs\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Palm\HOTSYNC.EXE
D:\SAVE FILES\Programs\HiJack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\SAVE FILES\Programs\Norton\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\SAVE FILES\Programs\Norton\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\SAVEFI~1\Programs\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.8137615741
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCAD 2002\AcPreview.ocx


----------



## dvk01 (Dec 14, 2002)

Download & Run *CWshredder from 
http://www.spywareinfo.com/~merijn/cwschronicles.html*
and *make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected*


----------



## Flrman1 (Jul 26, 2002)

proteus451 

The log looks good! :up:

Derek,

I already had him run CWShredder and advised to apply the patches.


----------



## proteus451 (Dec 9, 2003)

You guys are the BEST!!!!  Thanks so much for all your help.


----------



## Flrman1 (Jul 26, 2002)

You're Welcome! :up:


----------



## dvk01 (Dec 14, 2002)

> _Originally posted by flrman1:_
> *proteus451
> 
> The log looks good! :up:
> ...


Sorry mark I never noticed that part of the post


----------



## Flrman1 (Jul 26, 2002)

No problem!


----------



## proteus451 (Dec 9, 2003)

I have a couple (almost put one) more little questions, if you don't mind. Before this happened, I was completely up-to-date on all my microsoft patches (critical and security) and had jut updated and run my Norton 2004 Anti-virus software. Granted, I wasn't using Spybot S&D or Ad-Aware at the time, but how could these have gotten on my comp.? Did they come through pop-ups? Why didn't Norton A/V catch them?

Thanks, again guys


----------



## winchester73 (Aug 18, 2003)

For prophylaxis, consider the following:

SpywareBlaster v2.6.1 and SpywareGuard v2.2, to prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection: http://www.wilderssecurity.net/index.html

IE-SPYAD, a registry file that adds a long list of known "sites" to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
(that item is included in ie-spyad)

All three are updated regularly, and will help minimize the damage ...


----------



## dvk01 (Dec 14, 2002)

> _Originally posted by proteus451:_
> *I have a couple (almost put one) more little questions, if you don't mind. Before this happened, I was completely up-to-date on all my microsoft patches (critical and security) and had jut updated and run my Norton 2004 Anti-virus software. Granted, I wasn't using Spybot S&D or Ad-Aware at the time, but how could these have gotten on my comp.? Did they come through pop-ups? Why didn't Norton A/V catch them?
> 
> Thanks, again guys *


go here http://forums.net-integration.net/index.php?showtopic=3051 for info on how to tighten your security settings and how to help prevent future attacks. 
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.


----------



## winchester73 (Aug 18, 2003)

Derek ... :up: 

BTW, an IE-SPYAD update was released today.


----------

