1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Dealing with Diskcleaner infection and others

Discussion in 'Malware and Virus Removal Archive' started by BillB, 2007/06/25.

Page 1 of 3
  1. 2007/06/25
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    My niece brought me her PC saying she was having all kinds of pop-up problems both on and offline. When I booted it up, it took forever for the desktop to load, then the pop-ups started, virus notifications requesting that you download some software to fix it, diskcleaner pop-ups, etc., and something is keeping the hard drive so busy that it takes forever to get any application to run. The desktop shows the icons, but seems to have some kind of windowed layer on top with a scroll bar on the right and a red background that I can't get rid of either.

    What I've done so far;

    Installed, updated and scanned with Spybot in safe mode. It removed a bunch of malware.

    Installed and updated Adaware SE, tried to scan with it both in safe and normal mode and it gets to where it has found about 90+ items then just stops. Task manager says it's still running but it isn't doing anything.

    I ran Vundofix and it didn't find anything to remove.

    Tried to run disk cleanup, it starts then gives the message 'this program has encountered an error and needs to close'.

    Downloaded ATFCleaner and tried it, did the same thing.

    I deleted temporary internet files via IE for both user accounts.

    I tried to run Hijackthis both in normal and safe modes, it starts and then closes on it's own. I haven't been able to get it to stay open long enough to get a scan. I even tried the Admin acct in safe mode, no go.

    I updated AVG and scanned with it also, same results as with Adaware, goes so far and just seems to stop.

    Does anyone have any ideas what I can do to try to clean this thing up without wiping it and starting over, or is it beyond hope?

    This is a Gateway machine with WinXP Home and SP1.
     
    BillB,
    #1
  2. 2007/06/25
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    I downloaded and ran the Smitfraud scan program (in safe mode), here is the report file from that run;

    SmitFraudFix v2.195

    Scan done at 17:41:40.28, Mon 06/25/2007
    Run from C:\Documents and Settings\Stephanie\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\WINDOWS\System32\cmd.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\privacy_danger FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephanie


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephanie\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\STEPHA~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    C:\DOCUME~1\STEPHA~1\Desktop\Error Cleaner.url FOUND !
    C:\DOCUME~1\STEPHA~1\Desktop\Privacy Protector.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\NewMediaCodec\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "file:///C:\\WINDOWS\\privacy_danger\\index.htm "
    "SubscribedURL "=" "
    "FriendlyName "= "Privacy Protection "

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8D5849A2-93F3-429D-FF34-260A2068897C} "= "Fdjskie8 jf8e "


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{53B5F2B1-94DD-43E5-8187-EB4E31F00701} "= "za "

    [HKEY_CLASSES_ROOT\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}\InProcServer32]
    @= "C:\WINDOWS\System32\SlLE2pCd.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}\InProcServer32]
    @= "C:\WINDOWS\System32\SlLE2pCd.dll "


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{2C1CD3D7-86AC-4068-93BC-A02304B25319} "= "DCOM Server 25319 "

    [HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B25319}\InProcServer32]
    @= "C:\WINDOWS\System32\ulqhj.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B25319}\InProcServer32]
    @= "C:\WINDOWS\System32\ulqhj.dll "



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs "=" "
    "LoadAppInit_DLLs "=dword:00000001


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System "= "kduco.exe "

    kduco.exe detected !


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{4F31AEBA-BC95-4356-BAF0-2715F307E000}: DhcpNameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{D3DF03D8-30BA-42D7-8CF7-BB2188A1A26C}: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{4F31AEBA-BC95-4356-BAF0-2715F307E000}: DhcpNameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{D3DF03D8-30BA-42D7-8CF7-BB2188A1A26C}: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{4F31AEBA-BC95-4356-BAF0-2715F307E000}: DhcpNameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{D3DF03D8-30BA-42D7-8CF7-BB2188A1A26C}: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220 208.67.222.222


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
    BillB,
    #2


  3. to hide this advert.

  4. 2007/06/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi BillB

    Run option 2 of smitfraud. Then lets download and run combofix.

    Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Then download and run this.

    Please download RogueRemover by RubberDucky here.
    1. Double-click rr-free-setup.exe to begin installing the program.
    2. Follow the setup instructions for installation.
    3. Double-click the RogueRemover icon on your desktop.
    4. Once the program runs, select Check for Updates.
    5. When prompted, select Check for Updates.
    6. If prompted again, click Download to receive the latest updates.
    7. When completed, close the update window.
    8. Next, click Scan
    9. If it detects anything, select to remove all objects found.
    10. Close RogueRemover

    Then try to run ATF again and see if you can get HJT to download and run.

    If HJT is a no go download and run Silent Runners.

    Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As ", in FF it's "Save Link As ") to download Silent Runners.
    • Save it to the desktop.
    • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
    • You will receive a prompt:
      • Do you want to skip supplementary searches?
        click NO
    • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
    *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

    Geri
     
    Geri,
    #3
  5. 2007/06/25
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Geri,

    I was able to run Smitfraud, Combofix, ATFCleaner and Silent runner. HJT still will not run. Here are the logs from Combofix, Smitfraud and Silentrunner (it ran for a while and produced a script error, but posting the log anyway). The transparent layer over the desktop is now gone, still getting pop-ups about malware and viruses, something is still chewing up the hard drive too;

    ComboFix 07-06-18.2 - C:\Documents and Settings\Stephanie\Desktop\ComboFix.exe
    "Stephanie" - 2007-06-25 22:19:47 - Service Pack 1 NTFS [SAFE MODE]


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\Abbr
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\WinAntiSpyware 2007\Data\ProductCode
    C:\DOCUME~1\STEPHA~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\WC3A98E2\www.broadcaster.com
    C:\DOCUME~1\STEPHA~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\DOCUME~1\STEPHA~1\APPLIC~1.\scurit~1
    C:\DOCUME~1\STEPHA~1\APPLIC~1.\scurit~1\w?nword.exe
    C:\DOCUME~1\STEPHA~1\APPLIC~1.\WinAntiSpyware 2007
    C:\DOCUME~1\STEPHA~1\APPLIC~1.\WinAntiSpyware 2007\Logs\update.log
    C:\DOCUME~1\STEPHA~1\APPLIC~1\Microsoft\25319.dat
    C:\DOCUME~1\STEPHA~1\MYDOCU~1.\dobe~1
    C:\DOCUME~1\STEPHA~1\MYDOCU~1.\dobe~1\javaw.exe
    C:\Program Files\asks~1
    C:\Program Files\asks~2
    C:\Program Files\Common Files\{383CA~1
    C:\Program Files\Common Files\{383CA~1\toolbardll.lzma
    C:\Program Files\Common Files\{583CA~1
    C:\Program Files\Common Files\{583CA~1\system.dll
    C:\Program Files\Common Files\appatc~1
    C:\Program Files\Common Files\dobe~1
    C:\Program Files\Common Files\dobe~1\nopdb.exe
    C:\Program Files\Common Files\DriveCleaner Free
    C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe
    C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
    C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
    C:\Program Files\Common Files\racle~1
    C:\Program Files\Common Files\WinAntiSpyware 2007
    C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
    C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
    C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
    C:\Program Files\Common Files\ymbols~1
    C:\Program Files\dobe~1
    C:\Program Files\mantec~1
    C:\Program Files\pppatc~1
    C:\Program Files\stem~1
    C:\Program Files\tsks~1
    C:\Program Files\ymbols~1
    C:\Temp\0b9
    C:\Temp\0b9\tmpTF.log
    C:\Temp\tn3
    C:\WINDOWS\appatc~1
    C:\WINDOWS\dobe~1
    C:\WINDOWS\fnts~1
    C:\WINDOWS\icroso~1.net
    C:\WINDOWS\system32\1_exception.nls
    C:\WINDOWS\system32\boa.dat
    C:\WINDOWS\system32\cscentfy.dll
    C:\WINDOWS\system32\drivere.dll
    C:\WINDOWS\system32\driverf.dll
    C:\WINDOWS\system32\dsuiexq.dll
    C:\WINDOWS\system32\fnts~1
    C:\WINDOWS\system32\KB11505076.exe
    C:\WINDOWS\system32\KB34040802.exe
    C:\WINDOWS\system32\mbols~1
    C:\WINDOWS\system32\msxml3a.dll
    C:\WINDOWS\system32\pog
    C:\WINDOWS\system32\shdocvs.dll
    C:\WINDOWS\system32\T3
    C:\WINDOWS\system32\T4
    C:\WINDOWS\system32\T6
    C:\WINDOWS\system32\T7
    C:\WINDOWS\system32\T7\wb22.exe
    C:\WINDOWS\system32\T8QaSQ
    C:\WINDOWS\system32\unsvchosts.lzma
    C:\WINDOWS\system32\windev-peers.ini
    C:\WINDOWS\system32\wnsxs~1
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CMDSERVICE
    -------\LEGACY_COM+_MESSAGES
    -------\LEGACY_CORE
    -------\LEGACY_NETWORK_MONITOR
    -------\LEGACY_RUNTIME


    ((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


    2007-06-25 22:19 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-25 22:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-06-25 22:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-06-25 22:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-06-25 19:05 265 --a------ C:\bmgenkji3.exe
    2007-06-25 19:05 265 --a------ C:\bmgenkji2.exe
    2007-06-25 19:05 265 --a------ C:\bmgenkji1.exe
    2007-06-25 18:48 <DIR> d-------- C:\I386
    2007-06-25 17:41 3,026 --a------ C:\WINDOWS\system32\tmp.reg
    2007-06-25 12:15 <DIR> d-------- C:\VundoFix Backups
    2007-06-25 12:03 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\Lavasoft
    2007-06-24 18:15 <DIR> d-------- C:\Hijackthis
    2007-06-24 16:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
    2007-06-24 13:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
    2007-06-24 10:01 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
    2007-06-24 09:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-24 09:49 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\Lavasoft
    2007-06-23 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
    2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot
    2007-06-20 21:47 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\DriveCleaner Free
    2007-06-20 18:31 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\DriveCleaner Free
    2007-06-20 17:57 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
    2007-06-20 17:57 <DIR> d-------- C:\Intel
    2007-06-20 17:54 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
    2007-06-20 17:54 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
    2007-06-20 17:22 33,792 --a------ C:\WINDOWS\ieuninst.exe
    2007-06-03 13:24 97,280 --a------ C:\WINDOWS\system32\monterreyj_olive.exe
    2007-06-01 16:58 97,280 --a------ C:\WINDOWS\system32\monterreyi_olive.exe
    2007-06-01 16:58 97,280 --a------ C:\WINDOWS\monterreyi_olive.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-24 13:51:26 -------- d-----w C:\Program Files\LimeWire
    2007-06-24 13:49:16 -------- d-----w C:\Program Files\Lavasoft
    2007-06-23 22:59:38 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-20 10:42:32 89,088 ----a-w C:\WINDOWS\expro.dll
    2007-06-20 10:42:32 77,824 ----a-w C:\WINDOWS\vpssup.dll
    2007-06-07 23:02:55 15,891 ----a-w C:\WINDOWS\system32\msratnit.dll
    2007-06-01 02:34:59 97,280 ----a-w C:\WINDOWS\system32\monterreyg_olive.exe
    2007-05-21 13:59:50 60,928 ----a-w C:\WINDOWS\system32\zgb.dll
    2007-05-16 20:25:30 97,280 ----a-w C:\WINDOWS\system32\monterreyf_olive.exe
    2007-05-12 00:37:10 -------- d-----w C:\Program Files\Audible
    2007-05-11 23:59:55 -------- d-----w C:\Program Files\Google
    2007-05-05 03:17:24 13 ----a-w C:\WINDOWS\system32\rasqervy.dll
    2007-05-03 22:55:24 -------- d-----w C:\Program Files\Common Files\iuuk
    2007-04-25 01:22:32 2 ----a-w C:\WINDOWS\system32\wcpsvtr.exe
    2007-04-25 01:16:16 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2005-08-02 21:46:54 187,904 --sha-r C:\WINDOWS\UGV0ZQ\asappsrv.dll
    2005-08-02 21:58:38 293,888 --sha-r C:\WINDOWS\UGV0ZQ\command.exe
    2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\UGV0ZQ\o3pXtk.vbs


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}=C:\Program Files\Outerinfo\Outerinfo.dll []
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
    {53B5F2B1-94DD-43E5-8187-EB4E31F00701}=C:\WINDOWS\System32\SlLE2pCd.dll [2003-06-16 09:28]
    {9C37ADAA-ACA0-4A4D-8AEE-7514D71D5AC4}=\ [2007-06-25 22:21]
    {B00A404B-D4A9-D759-DF7C-83ADDFB424B1}=C:\WINDOWS\System32\zgb.dll [2007-05-21 09:59]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Salestart "= "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" []
    "SDR6_Check "= "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe" []
    "PAS_Check "= "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe" []
    "AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-20 18:37]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
    "Aim6 "= "C:\Program Files\AIM6\aim6.exe" []
    "Scmyyasv "= "C:\Documents and Settings\Stephanie\Application Data\s?curity\w?nword.exe" []
    "Outerinfo "= "C:\Program Files\Outerinfo\Outerinfo.exe" []
    "OuterinfoUpdate "= "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" []
    "Windows Setup Manger "= "h" []

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator "=Narrator.exe

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{53B5F2B1-94DD-43E5-8187-EB4E31F00701} "= "C:\WINDOWS\System32\SlLE2pCd.dll" [2003-06-16 09:28]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "{D9C689AF-156B-4B21-B4B7-AC108F81BED0} "= "C:\WINDOWS\vpssup.dll" [2007-06-20 06:42]
    "{1E695FA1-74E0-40D6-8707-6AF9F7EACB90} "= "C:\WINDOWS\expro.dll" [2007-06-20 06:42]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=

    *Newly Created Service* - ALG
    *Newly Created Service* - IPNAT

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-25 22:22:46
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-25 22:25:48 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-06-25 22:25

    --- E O F ---


    SmitFraudFix v2.195

    Scan done at 22:16:12.71, Mon 06/25/2007
    Run from C:\Documents and Settings\Stephanie\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8D5849A2-93F3-429D-FF34-260A2068897C} "= "Fdjskie8 jf8e "


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{53B5F2B1-94DD-43E5-8187-EB4E31F00701} "= "za "

    [HKEY_CLASSES_ROOT\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}\InProcServer32]
    @= "C:\WINDOWS\System32\SlLE2pCd.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}\InProcServer32]
    @= "C:\WINDOWS\System32\SlLE2pCd.dll "


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{2C1CD3D7-86AC-4068-93BC-A02304B25319} "= "DCOM Server 25319 "

    [HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B25319}\InProcServer32]
    @= "C:\WINDOWS\System32\ulqhj.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B25319}\InProcServer32]
    @= "C:\WINDOWS\System32\ulqhj.dll "


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\privacy_danger\ Deleted
    C:\DOCUME~1\STEPHA~1\Desktop\Error Cleaner.url Deleted
    C:\DOCUME~1\STEPHA~1\Desktop\Privacy Protector.url Deleted
    C:\DOCUME~1\STEPHA~1\Desktop\Spyware?Malware Protection.url Deleted
    C:\Program Files\NewMediaCodec\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{4F31AEBA-BC95-4356-BAF0-2715F307E000}: DhcpNameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{D3DF03D8-30BA-42D7-8CF7-BB2188A1A26C}: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{4F31AEBA-BC95-4356-BAF0-2715F307E000}: DhcpNameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{D3DF03D8-30BA-42D7-8CF7-BB2188A1A26C}: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{4F31AEBA-BC95-4356-BAF0-2715F307E000}: DhcpNameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{D3DF03D8-30BA-42D7-8CF7-BB2188A1A26C}: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=208.67.220.220 208.67.222.222
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220 208.67.222.222


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System "= "kduco.exe "

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{8D5849A2-93F3-429D-FF34-260A2068897C} "= "Fdjskie8 jf8e "


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{53B5F2B1-94DD-43E5-8187-EB4E31F00701} "= "za "

    [HKEY_CLASSES_ROOT\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}\InProcServer32]
    @= "C:\WINDOWS\System32\SlLE2pCd.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}\InProcServer32]
    @= "C:\WINDOWS\System32\SlLE2pCd.dll "


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{2C1CD3D7-86AC-4068-93BC-A02304B25319} "= "DCOM Server 25319 "

    [HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B25319}\InProcServer32]
    @= "C:\WINDOWS\System32\ulqhj.dll "

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B25319}\InProcServer32]
    @= "C:\WINDOWS\System32\ulqhj.dll "



    »»»»»»»»»»»»»»»»»»»»»»»» Reboot

    C:\WINDOWS\system32\kduco.exe Deleted

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System "=" "


    »»»»»»»»»»»»»»»»»»»»»»»» End

    "Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
    Operating System: Windows XP
    Output limited to non-default values, except where indicated by "{++} "


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "Aim6" = " "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" [file not found]
    "Scmyyasv" = " "C:\Documents and Settings\Stephanie\Application Data\s*curity\w*nword.exe" " (unwritable string) [file not found]
    "Outerinfo" = " "C:\Program Files\Outerinfo\Outerinfo.exe" " [file not found]
    "OuterinfoUpdate" = " "C:\Program Files\Outerinfo\OuterinfoUpdate.exe" " [file not found]
    "Windows Setup Manger" = "h" [file not found]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "Salestart" = " "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe" " [file not found]
    "SDR6_Check" = " "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe" " [file not found]
    "PAS_Check" = " "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe" " [file not found]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" [ "GRISOFT, s.r.o."]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
    \StubPath = " "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll ",ShowIconsUser" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Outerinfo\Outerinfo.dll" [file not found]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
    {53B5F2B1-94DD-43E5-8187-EB4E31F00701}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\SlLE2pCd.dll" [null data]
    {9C37ADAA-ACA0-4A4D-8AEE-7514D71D5AC4}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "\" [file not found]
    {B00A404B-D4A9-D759-DF7C-83ADDFB424B1}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\zgb.dll" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
    -> {HKLM...CLSID} = "Display Panning CPL Extension "
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext "
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
    -> {HKLM...CLSID} = "Portable Media Devices Menu "
    \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension "
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension "
    -> {HKLM...CLSID} = "AVG7 Find Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
    <<!>> "{53B5F2B1-94DD-43E5-8187-EB4E31F00701}" = "za "
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\SlLE2pCd.dll" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "vpssup" = "{D9C689AF-156B-4B21-B4B7-AC108F81BED0} "
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\vpssup.dll" [null data]
    "expro" = "{1E695FA1-74E0-40D6-8707-6AF9F7EACB90} "
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\expro.dll" [null data]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxdev.dll" [ "Intel Corporation"]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
    -> {HKLM...CLSID} = "PDF Shell Extension "
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoCDBurning" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be enabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
     
    BillB,
    #4
  6. 2007/06/25
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi BillB

    I see a few things but not many. So something is hiding.

    Lets run AVG anti-spyware and post it's log

    Now download AVG Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
    6. Under "Reports "
      • Select "Automatically generate report after every scan "
      • Un-Select "Only if threats were found "
    Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
    4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions "
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.


    Then rename Hijackthis.exe to Killer.exe and see if it will run, perferibly in normal mode.

    I need to go to bed, I'm working a lot of hours at this time. I will check in again tomorrow evening.

    Geri
     
    Geri,
    #5
  7. 2007/06/26
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Geri,

    AVG Antispyware found a lot of stuff and got rid of it. I was also able to get Hijackthis to run by renaming it. Here's the HJT log, I'm going to have to figure out a way to post the AVG one, it's too big. It is getting progressively better, boot up is faster and a lot of the pop-ups are gone. Still have something keeping the hard drive going but not as bad as it was. Also still getting pop ups about spyware detected and click yes to get available antispyware software, also some about trojan viruses detected click here to fix. There is also a little red triangle with a white exclamation point (!) in the system tray that keeps blinking.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:47:58 PM, on 6/26/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hijackthis\killer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {F9DFF287-3E69-6FCF-4C40-30C65D4C3CB7} - (no file)
    R3 - URLSearchHook: (no name) - {7949D5FE-4E49-15EC-6957-11E4CFB5E9BE} - (no file)
    R3 - URLSearchHook: (no name) - {37CA13D7-D66E-DAC1-1B00-D458147FF7ED} - (no file)
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\SlLE2pCd.dll (file missing)
    O2 - BHO: (no name) - {9C37ADAA-ACA0-4A4D-8AEE-7514D71D5AC4} - \
    O2 - BHO: (no name) - {B00A404B-D4A9-D759-DF7C-83ADDFB424B1} - C:\WINDOWS\System32\zgb.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe "
    O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe "
    O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe "
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Scmyyasv] "C:\Documents and Settings\Stephanie\Application Data\s?curity\w?nword.exe "
    O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe "
    O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe "
    O4 - HKCU\..\Run: [Windows Setup Manger] h
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O21 - SSODL: vpssup - {D9C689AF-156B-4B21-B4B7-AC108F81BED0} - C:\WINDOWS\vpssup.dll
    O21 - SSODL: expro - {1E695FA1-74E0-40D6-8707-6AF9F7EACB90} - C:\WINDOWS\expro.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
     
    BillB,
    #6
  8. 2007/06/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi BillB
    OK Cool, I'm glad we got the HJT log, really helps.

    Download FindAWF from the link below, saving to the desktop.

    http://noahdfear.geekstogo.com/FindAWF.exe

    Double click it to run and follow the prompts. Please post the contents of the AWF.txt log it creates.


    Please go to Add/Remove and remove these first off. If they're there.

    WinAntiSpyware 2007
    DriveCleaner Free
    Outerinfo


    OK now Lets download Killbox, You may get a message that some files are already gone, that's OK just kill the rest.

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
      C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
      C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
      C:\Documents and Settings\Stephanie\Application Data\s?curity\w?nword.exe
      C:\Program Files\Outerinfo\Outerinfo.exe
      C:\Program Files\Outerinfo\OuterinfoUpdate.exe
      C:\WINDOWS\vpssup.dll
      C:\WINDOWS\expro.dll


    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


    Please give me a uninstall list useing HJT, Here's how.
    To get an Uninstall List from HijackThis:
    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager "
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.


    Do you recognize this as her ISP?
    Freedom Networks

    Please post the AWF log and the uninstall list. and a new HJT log.

    As far as the AVG log, remove all system volume info and the cookies info. then see how long it is.

    Thanks
    Geri
     
    Geri,
    #7
  9. 2007/06/26
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi BillB

    Just to let you know that there will be more files to kill more then likely, but I would like to see what AVG got rid of.

    Geri
     
    Geri,
    #8
  10. 2007/06/27
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Here's the AVG repor, I hope. It's attached in a zip file.
     
    BillB,
    #9
  11. 2007/06/27
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Geri,

    Here are the uninstall list, AWF list and a new HJT list as requested. Killbox requested that the machine be rebooted when I clicked on the delete button, so I clicked ok. Freedom Networks is not their ISP, they are using Comcast cable.

    Uninstall list;

    Ad-Aware SE Personal
    Adobe Flash Player 9 ActiveX
    Adobe Reader 8
    ArcSoft MediaConverter 2
    AVG 7.5
    AVG Anti-Spyware 7.5
    Gateway Drivers and Applications Recovery
    Gateway IE Customizations
    HijackThis 1.99.1
    HP Customer Participation Program 7.0
    HP Imaging Device Functions 7.0
    HP Photosmart Premier Software 6.5
    Intel(R) 537EP Data Fax Modem
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Java 2 Runtime Environment, SE v1.4.2
    Microsoft .NET Framework 1.1
    Microsoft Office 2000 Premium
    Mozilla Firefox (2.0.0.4)
    RecordNow
    RogueRemover 1.20
    Spybot - Search & Destroy 1.4
    Viewpoint Media Player
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10


    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\WINDOWS\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\MESSEN~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    12/23/2006 10:31 AM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    11/18/2003 02:11 AM 118,784 hkcmd.exe
    11/18/2003 02:24 AM 155,648 igfxtray.exe
    2 File(s) 274,432 bytes

    Directory of C:\PROGRA~1\COMMON~1\IUUK\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    12/13/2004 04:30 PM 58,992 ccApp.exe
    1 File(s) 58,992 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

    03/29/2007 09:22 PM 68,856 GoogleToolbarNotifier.exe
    1 File(s) 68,856 bytes

    Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

    02/19/2006 03:41 AM 49,152 HPWuSchd2.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

    11/02/2004 05:59 PM 218,240 UsrPrmpt.exe
    1 File(s) 218,240 bytes

    Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

    07/26/2006 04:03 AM 49,263 jusched.exe
    1 File(s) 49,263 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    282624 Dec 23 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
    77824 Apr 5 2005 "C:\WINDOWS\system32\hkcmd.exe "
    118784 Nov 18 2003 "C:\WINDOWS\system32\bak\hkcmd.exe "
    94208 Apr 5 2005 "C:\WINDOWS\system32\igfxtray.exe "
    155648 Nov 18 2003 "C:\WINDOWS\system32\bak\igfxtray.exe "
    58992 Dec 13 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "
    68856 Mar 29 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe "
    49152 Feb 19 2006 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe "
    218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe "
    49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe "


    end of report


    Logfile of HijackThis v1.99.1
    Scan saved at 8:50:28 AM, on 6/27/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hijackthis\killer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {F9DFF287-3E69-6FCF-4C40-30C65D4C3CB7} - (no file)
    R3 - URLSearchHook: (no name) - {7949D5FE-4E49-15EC-6957-11E4CFB5E9BE} - (no file)
    R3 - URLSearchHook: (no name) - {37CA13D7-D66E-DAC1-1B00-D458147FF7ED} - (no file)
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\SlLE2pCd.dll (file missing)
    O2 - BHO: (no name) - {9C37ADAA-ACA0-4A4D-8AEE-7514D71D5AC4} - \
    O2 - BHO: (no name) - {B00A404B-D4A9-D759-DF7C-83ADDFB424B1} - C:\WINDOWS\System32\zgb.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe "
    O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe "
    O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe "
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Scmyyasv] "C:\Documents and Settings\Stephanie\Application Data\s?curity\w?nword.exe "
    O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe "
    O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe "
    O4 - HKCU\..\Run: [Windows Setup Manger] h
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O21 - SSODL: vpssup - {D9C689AF-156B-4B21-B4B7-AC108F81BED0} - C:\WINDOWS\vpssup.dll (file missing)
    O21 - SSODL: expro - {1E695FA1-74E0-40D6-8707-6AF9F7EACB90} - C:\WINDOWS\expro.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
     
    BillB,
    #10
  12. 2007/06/27
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi BillB

    We need to run another tool

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    Now open killbox again and kill these...

    C:\WINDOWS\System32\SlLE2pCd.dll
    C:\WINDOWS\System32\ulqhj.dll "

    Reboot into safe mode.
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these folders (if present):

    C:\Program Files\Common Files\DriveCleaner Free
    C:\Program Files\Common Files\WinAntiSpyware 2007
    C:\Program Files\Outerinfo
    C:\Documents and Settings\Stephanie\Application Data\s?curity

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {F9DFF287-3E69-6FCF-4C40-30C65D4C3CB7} - (no file)
    R3 - URLSearchHook: (no name) - {7949D5FE-4E49-15EC-6957-11E4CFB5E9BE} - (no file)
    R3 - URLSearchHook: (no name) - {37CA13D7-D66E-DAC1-1B00-D458147FF7ED} - (no file)
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
    O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\System32\SlLE2pCd.dll (file missing)
    O2 - BHO: (no name) - {9C37ADAA-ACA0-4A4D-8AEE-7514D71D5AC4} - \
    O2 - BHO: (no name) - {B00A404B-D4A9-D759-DF7C-83ADDFB424B1} - C:\WINDOWS\System32\zgb.dll (file missing)
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe "
    O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe "
    O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe "
    O4 - HKCU\..\Run: [Scmyyasv] "C:\Documents and Settings\Stephanie\Application Data\s?curity\w?nword.exe "
    O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe "
    O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe "
    O20 - AppInit_DLLs: <<You will get a warning Here click OK to delete.
    O21 - SSODL: vpssup - {D9C689AF-156B-4B21-B4B7-AC108F81BED0} - C:\WINDOWS\vpssup.dll (file missing)
    O21 - SSODL: expro - {1E695FA1-74E0-40D6-8707-6AF9F7EACB90} - C:\WINDOWS\expro.dll (file missing)


    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.

    After that, Reboot.

    Please post a New HJT Log into this Thread. and the SDFix log.

    Let me know how things are.

    Thanks
    Geri
     
    Last edited: 2007/06/27
    Geri,
    #11
  13. 2007/06/28
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Geri,

    I fixed the entries in HJT, ran killbox as directed, the folders you wanted to delete were not there. Here are report from SDFIX and HJT;

    SDFix: Version 1.88

    Run by Stephanie on Thu 06/28/2007 at 12:17 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:






    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\SYSTEM32\HIDRWUPD.DLL - Deleted
    C:\Documents and Settings\Stephanie\Desktop\Error Cleaner.url - Deleted
    C:\Documents and Settings\Stephanie\Desktop\Privacy Protector.url - Deleted
    C:\Documents and Settings\Stephanie\Desktop\Spyware&Malware Protection.url - Deleted
    C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\hd-log.txt - Deleted
    C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
    C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
    C:\WINDOWS\system32\cmnocfg.xml - Deleted
    C:\WINDOWS\system32\help.txt - Deleted
    C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
    C:\WINDOWS\system32\ps.dat - Deleted



    Removing Temp Files...

    ADS Check:

    Checking C:\WINDOWS
    C:\WINDOWS
    No streams found.

    Checking C:\WINDOWS\system32
    C:\WINDOWS\system32
    No streams found.

    Checking C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    No streams found.

    Checking C:\WINDOWS\system32\ntoskrnl.exe
    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Listing Files with Hidden Attributes:

    C:\Program Files\Windows Media Player\mplayer2.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT257.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT258.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT259.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT25A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT25B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT25C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT25D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT25E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT25F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT260.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT261.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT262.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT263.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT264.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT265.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT266.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT267.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT268.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT269.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT26A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT26B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT26C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT26D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT26E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT26F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT270.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT271.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT272.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT273.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT274.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT275.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT276.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT277.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT278.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT279.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT27A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT27B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT27C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT27D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT27E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT27F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT280.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT281.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT282.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT283.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT284.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT285.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT286.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT287.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT288.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT289.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT28A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT28B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT28C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT28D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT28E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT28F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT290.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT291.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT292.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT293.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT294.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT295.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT296.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT297.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT298.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT299.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT29A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT29B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT29C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT29D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT29E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT29F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2A9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2AA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2AB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2AC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2AD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2AE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2AF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2B9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2BA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2BB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2BC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2BD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2BE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2BF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2C9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2CA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2CB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2CC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2CD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2CE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2CF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2D9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2DA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2DB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2DC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2DD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2DE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2DF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2E9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2EA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2EB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2EC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2ED.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2EE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2EF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2F9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2FA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2FB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2FC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2FD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2FE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT2FF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT300.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT301.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT302.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT303.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT304.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT305.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT306.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT307.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT308.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT309.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT30A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT30B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT30C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT30D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT30E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT30F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT310.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT311.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT312.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT313.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT314.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT315.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT316.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT317.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT318.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT319.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT31A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT31B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT31C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT31D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT31E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT31F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT320.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT321.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT322.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT323.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT324.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT325.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT326.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT327.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT328.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT329.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT32A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT32B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT32C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT32D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT32E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT32F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT330.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT331.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT332.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT333.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT334.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT335.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT336.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT337.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT338.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT339.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT33A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT33B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT33C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT33D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT33E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT33F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT340.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT341.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT342.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT343.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT344.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT345.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT346.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT347.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT348.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT349.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT34A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT34B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT34C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT34D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT34E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT34F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT350.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT351.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT352.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT353.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT354.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT355.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT356.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT357.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT358.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT359.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT35A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT35B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT35C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT35D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT35E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT35F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT360.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT361.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT362.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT363.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT364.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT365.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT366.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT367.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT368.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT369.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT36A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT36B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT36C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT36D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT36E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT36F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT370.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT371.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT372.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT373.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT374.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT375.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT376.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT377.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT378.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT379.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT37A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT37B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT37C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT37D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT37E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT37F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT380.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT381.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT382.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT383.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT384.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT385.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT386.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT387.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT388.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT389.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT38A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT38B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT38C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT38D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT38E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT38F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT390.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT391.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT392.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT393.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT394.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT395.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT396.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT397.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT398.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT399.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT39A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT39B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT39C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT39D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT39E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT39F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3A9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3AA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3AB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3AC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3AD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3AE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3AF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3B9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3BA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3BB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3BC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3BD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3BE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3BF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3C9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3CA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3CB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3CC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3CD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3CE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3CF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3D9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3DA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3DB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3DC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3DD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3DE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3DF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3E9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3EA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3EB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3EC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3ED.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3EE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3EF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F0.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F1.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F2.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F3.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F4.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F5.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F6.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F7.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F8.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3F9.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3FA.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3FB.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3FC.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3FD.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3FE.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT3FF.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT400.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT401.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT402.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT403.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT404.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT405.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT406.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT407.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT408.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT409.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT40A.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT40B.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT40C.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT40D.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT40E.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT40F.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT410.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT411.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT412.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT413.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT414.tmp
    C:\Documents and Settings\Pete\Local Settings\Temp\BIT415.tmp
    C:\WINDOWS\LastGood.Tmp\INF\dxbda.inf
    C:\WINDOWS\LastGood.Tmp\INF\dxbda.PNF
    C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.inf
    C:\WINDOWS\LastGood.Tmp\INF\dxdllreg.PNF
    C:\WINDOWS\LastGood.Tmp\INF\dxxp.inf
    C:\WINDOWS\LastGood.Tmp\INF\dxxp.PNF
    C:\WINDOWS\LastGood.Tmp\INF\js56nen.inf
    C:\WINDOWS\LastGood.Tmp\INF\js56nen.PNF
    C:\WINDOWS\LastGood.Tmp\INF\mm20.inf
    C:\WINDOWS\LastGood.Tmp\INF\mm20.PNF
    C:\WINDOWS\LastGood.Tmp\INF\mm20ex.inf
    C:\WINDOWS\LastGood.Tmp\INF\mm20ex.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem0.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem0.PNF
    C:\WINDOWS\LastGood.Tmp\INF\q330994.inf
    C:\WINDOWS\LastGood.Tmp\INF\q330994.PNF
    C:\WINDOWS\LastGood.Tmp\INF\q822925.inf
    C:\WINDOWS\LastGood.Tmp\INF\q822925.PNF
    C:\WINDOWS\LastGood.Tmp\INF\vbs56nen.inf
    C:\WINDOWS\LastGood.Tmp\INF\vbs56nen.PNF
    C:\WINDOWS\LastGood.Tmp\INF\wm819639.inf
    C:\WINDOWS\LastGood.Tmp\INF\wm819639.PNF
    C:\WINDOWS\system32\config\default.tmp.LOG
    C:\WINDOWS\system32\config\SAM.tmp.LOG
    C:\WINDOWS\system32\config\SECURITY.tmp.LOG
    C:\WINDOWS\system32\config\software.tmp.LOG
    C:\WINDOWS\system32\config\system.tmp.LOG

    Listing User Accounts:


    Administrator ASPNET Guest
    HelpAssistant Pete Stephanie
    SUPPORT_388945a0


    Finished
     
    BillB,
    #12
  14. 2007/06/28
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Logfile of HijackThis v1.99.1
    Scan saved at 12:39:04 PM, on 6/28/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hijackthis\killer.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe "
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Windows Setup Manger] h
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
     
    BillB,
    #13
  15. 2007/06/28
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi BillB

    Your log looks good except for this...
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

    WinAntispyware just doesn't want to go away:mad:

    You said you run Vundo? Please delete the one you have and download this one, incase you have a older version.

    Please download VundoFix.exe to your desktop
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

    Please post the two logs. Vundo and HJT.

    Also let me know how things are running,

    Thanks
    Geri
     
    Geri,
    #14
  16. 2007/06/28
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Geri,

    I fixed the item you mentioned in HJT. I downloaded the Vundo that you linked to and ran it, still found nothing to fix. Here is the new HJT log. The PC is much better than it was, most of the pop-ups are gone, save one that wants to open the browser but I just close the pop-up window. The little red triangle that was on the system tray is now gone. Something is still driving the hard drive crazy, it takes from 10 to 15 minutes to do a shutdown from normal mode.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:06:11 PM, on 6/28/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Hijackthis\killer.exe
    C:\WINDOWS\System32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Windows Setup Manger] h
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
     
    BillB,
    #15
  17. 2007/06/28
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK Please try and run ATF cleaner now.

    Is there any kind of advertisements with the pop-up? does it have anything that might say what it is?

    I missed these with killbox
    Please run killbox and kill them.
    C:\bmgenkji1.exe
    C:\bmgenkji2.exe
    C:\bmgenkji3.exe

    Please run combofix and silentrunners again and post the new logs.

    Also rename HJT back to Hijackthis.exe and give me a start up list, here is how..

    Create a Startup List

    * Open HiJackThis
    * Click on the "Config..." button on the bottom right
    * Click on the tab "Misc Tools "
    * Check off the 2 boxes next to the Box that says "Generate StartupList log "
    * Click on the button "Generate StartupList log "
    * Copy and past the StartupList from the notepad into your next post

    Thanks
    Geri
     
    Last edited: 2007/06/28
    Geri,
    #16
  18. 2007/06/28
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Bill
    These come up as an open DNS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222

    Though legit they may be a problem, does she use them? see the Google link.

    http://www.google.com/search?client...67.220.220+208.67.222.222+&btnG=Google+Search

    If she doesn't then they should be killed useing HJT, If it causes a internet problem when deleted you can restore them with HJT this way.

    To restore the backups:
    • Open HiJackThis
    • Click on "View the list of Backups "
    • Place a check mark next to those 017 entries in that window
    • Click Restore
    • Click Yes
    • Reboot your computer

    Geri
     
    Geri,
    #17
  19. 2007/06/29
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Geri,

    ATF cleaner ran fine this time. I deleted the DNS entries with HJT and the files mentioned with Killbox.

    Combo fix ran fine, but Silent runner got some kind of scripting error, I've attached a jpg file with the error message. I'm including all the logs you requested, the pop-up didn't happen on this boot, not sure it has been cured or just didn't happen. Hard drive activity hasn't gone away though.

    ComboFix 07-06-18.2 - C:\Documents and Settings\Stephanie\Desktop\ComboFix.exe
    "Stephanie" - 2007-06-29 11:58:51 - Service Pack 1 NTFS


    ((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))


    2007-06-27 08:40 <DIR> d-------- C:\!KillBox
    2007-06-26 11:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-06-25 22:28 <DIR> d-------- C:\Program Files\RogueRemover
    2007-06-25 22:19 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-25 22:16 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-06-25 22:16 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-06-25 22:16 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-06-25 18:48 <DIR> d-------- C:\I386
    2007-06-25 17:41 3,026 --a------ C:\WINDOWS\system32\tmp.reg
    2007-06-25 12:15 <DIR> d-------- C:\VundoFix Backups
    2007-06-25 12:03 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\Lavasoft
    2007-06-24 18:15 <DIR> d-------- C:\Hijackthis
    2007-06-24 16:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
    2007-06-24 13:22 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
    2007-06-24 10:01 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
    2007-06-24 09:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-06-24 09:49 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\Lavasoft
    2007-06-23 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
    2007-06-22 00:29 <DIR> d-------- C:\WINDOWS\system32\CatRoot
    2007-06-20 21:47 <DIR> d-------- C:\DOCUME~1\Pete\APPLIC~1\DriveCleaner Free
    2007-06-20 18:31 <DIR> d-------- C:\DOCUME~1\STEPHA~1\APPLIC~1\DriveCleaner Free
    2007-06-20 17:57 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
    2007-06-20 17:57 <DIR> d-------- C:\Intel
    2007-06-20 17:54 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
    2007-06-20 17:54 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
    2007-06-20 17:22 33,792 --a------ C:\WINDOWS\ieuninst.exe
    2007-06-03 13:24 97,280 --a------ C:\WINDOWS\system32\monterreyj_olive.exe
    2007-06-01 16:58 97,280 --a------ C:\WINDOWS\system32\monterreyi_olive.exe
    2007-06-01 16:58 97,280 --a------ C:\WINDOWS\monterreyi_olive.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-24 13:51:26 -------- d-----w C:\Program Files\LimeWire
    2007-06-24 13:49:16 -------- d-----w C:\Program Files\Lavasoft
    2007-06-23 22:59:38 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-07 23:02:55 15,891 ----a-w C:\WINDOWS\system32\msratnit.dll
    2007-06-01 02:34:59 97,280 ----a-w C:\WINDOWS\system32\monterreyg_olive.exe
    2007-05-16 20:25:30 97,280 ----a-w C:\WINDOWS\system32\monterreyf_olive.exe
    2007-05-12 00:37:10 -------- d-----w C:\Program Files\Audible
    2007-05-11 23:59:55 -------- d-----w C:\Program Files\Google
    2007-05-05 03:17:24 13 ----a-w C:\WINDOWS\system32\rasqervy.dll
    2007-05-03 22:55:24 -------- d-----w C:\Program Files\Common Files\iuuk
    2007-04-25 01:16:16 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
    2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-20 18:37]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08]
    "Aim6 "= "C:\Program Files\AIM6\aim6.exe" []
    "Windows Setup Manger "= "h" []

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "RunNarrator "=Narrator.exe

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "swg "=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]


    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-29 12:00:48
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-29 12:01:30

    Combofix quarantine list;

    Code:
    2001-08-17 23:43      24576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml3a.dll.vir
2003-06-11 21:40      0    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\1_exception.nls.vir
2003-06-11 21:40      201233    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\KB11505076.exe.vir
2003-06-12 17:42      56229    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dsuiexq.dll.vir
2003-06-12 17:42      6144    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\shdocvs.dll.vir
2003-06-14 17:55      1    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\boa.dat.vir
2003-06-14 17:55      7033    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\KB34040802.exe.vir
2003-06-14 18:06      27136    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cscentfy.dll.vir
2003-06-16 00:02      8311    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\STEPHA~1\APPLIC~1\Microsoft\25319.dat.vir
2003-06-17 21:42      0    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\err.log.vir
2003-06-17 21:42      20    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode.vir
2003-06-17 21:42      5    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr.vir
2003-06-18 21:27      8785    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\STEPHA~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log.vir
2003-06-20 16:50      2329    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-01-18 19:24      48695    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\{383CA~1\toolbardll.lzma.vir
2007-01-18 19:24      911    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\unsvchosts.lzma.vir
2007-04-24 12:21      9248    --a------    C:\Qoobox\Quarantine\C\TEMP\0b9\tmpTF.log.vir
2007-05-16 16:25      152576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\driverf.dll.vir
2007-06-06 19:06      274432    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\T7\wb22.exe.vir
2007-06-21 16:38      37406    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\windev-peers.ini.vir
2007-06-25 22:21      1034    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf
2007-06-25 22:21      1118    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
2007-06-25 22:21      832    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
2007-06-25 22:21      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_COM+_MESSAGES.reg.cf
2007-06-25 22:21      862    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf


Folder PATH listing
Volume serial number is 71FAE346 583C:A601
C:\QOOBOX
\---Quarantine
    +---C
    |   +---DOCUME~1
    |   |   +---ALLUSE~1
    |   |   |   \---APPLIC~1
    |   |   |       \---WinAntiSpyware 2007
    |   |   |           \---Data
    |   |   |                   Abbr.vir
    |   |   |                   ProductCode.vir
    |   |   |                   
    |   |   \---STEPHA~1
    |   |       +---APPLIC~1
    |   |       |   +---Microsoft
    |   |       |   |       25319.dat.vir
    |   |       |   |       
    |   |       |   +---SCURIT~1
    |   |       |   \---WinAntiSpyware 2007
    |   |       |       \---Logs
    |   |       |               update.log.vir
    |   |       |               
    |   |       \---MYDOCU~1
    |   |           \---DOBE~1
    |   +---Program Files
    |   |   \---Common Files
    |   |       +---DOBE~1
    |   |       +---DriveCleaner Free
    |   |       +---WinAntiSpyware 2007
    |   |       |       err.log.vir
    |   |       |       
    |   |       +---{383CA~1
    |   |       |       toolbardll.lzma.vir
    |   |       |       
    |   |       \---{583CA~1
    |   +---TEMP
    |   |   \---0b9
    |   |           tmpTF.log.vir
    |   |           
    |   \---WINDOWS
    |       |   wr.txt.vir
    |       |   
    |       \---system32
    |           |   1_exception.nls.vir
    |           |   boa.dat.vir
    |           |   cscentfy.dll.vir
    |           |   driverf.dll.vir
    |           |   dsuiexq.dll.vir
    |           |   KB11505076.exe.vir
    |           |   KB34040802.exe.vir
    |           |   msxml3a.dll.vir
    |           |   shdocvs.dll.vir
    |           |   unsvchosts.lzma.vir
    |           |   windev-peers.ini.vir
    |           |   
    |           \---T7
    |                   wb22.exe.vir
    |                   
    \---Registry_backups
            LEGACY_CMDSERVICE.reg.cf
            LEGACY_COM+_MESSAGES.reg.cf
            LEGACY_CORE.reg.cf
            LEGACY_NETWORK_MONITOR.reg.cf
            LEGACY_RUNTIME.reg.cf
    C:\ComboFix-quarantined-files.txt ... 2007-06-29 12:01
    C:\ComboFix2.txt ... 2007-06-25 22:25

    --- E O F ---
     
    BillB,
    #18
  20. 2007/06/29
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    log from silent runner;

    "Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
    Operating System: Windows XP
    Output limited to non-default values, except where indicated by "{++} "


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "Aim6" = " "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp" [file not found]
    "Windows Setup Manger" = "h" [file not found]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" [ "GRISOFT, s.r.o."]
    "!AVG Anti-Spyware" = " "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" [ "Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
    \StubPath = " "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll ",ShowIconsUser" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
    -> {HKLM...CLSID} = "Display Panning CPL Extension "
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext "
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
    -> {HKLM...CLSID} = "Portable Media Devices Menu "
    \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension "
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension "
    -> {HKLM...CLSID} = "AVG7 Find Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxdev.dll" [ "Intel Corporation"]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
    -> {HKLM...CLSID} = "PDF Shell Extension "
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
    -> {HKLM...CLSID} = "CContextScan Object "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
    -> {HKLM...CLSID} = "CContextScan Object "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class "
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    "NoCDBurning" = (REG_DWORD) hex:0x00000000
    {unrecognized setting}

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "DisableRegistryTools" = (REG_DWORD) hex:0x00000000
    {Prevent access to registry editing tools}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be enabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Hijackthis log;

    Logfile of HijackThis v1.99.1
    Scan saved at 12:25:04 PM, on 6/29/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\imapi.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Windows Setup Manger] h
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
     
    BillB,
    #19
  21. 2007/06/29
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hijackthis startup list and silent runner error file;

    StartupList report, 6/29/2007, 12:11:32 PM
    StartupList version: 1.52.2
    Started from : C:\Hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\WScript.exe
    C:\Hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Stephanie\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    !AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    Windows Setup Manger = h

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    [Setup]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    [Setup]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = C:\WINDOWS\inf\unregmp2.exe /HideWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll ",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *No subkeys found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    aeaudio: system32\drivers\aeaudio.sys (manual start)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
    AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
    AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
    AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
    AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
    AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
    AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
    AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
    AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
    AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
    AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    Cod47: \SystemRoot\System32\Cod47.sys (autostart)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    dmio: System32\drivers\dmio.sys (disabled)
    dmload: System32\drivers\dmload.sys (disabled)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    HP Port Resolver: C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBPRO.EXE (manual start)
    HP Status Server: C:\WINDOWS\System32\spool\drivers\w32x86\3\HPBOID.EXE (manual start)
    IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
    Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
    USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    ialm: System32\DRIVERS\ialmnt5.sys (manual start)
    CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
    IntelC51: System32\DRIVERS\IntelC51.sys (manual start)
    IntelC52: System32\DRIVERS\IntelC52.sys (manual start)
    IntelC53: System32\DRIVERS\IntelC53.sys (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    mohfilt: System32\DRIVERS\mohfilt.sys (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (system)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    PrismXL: C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS (autostart)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    smwdm: system32\drivers\smwdm.sys (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{4602CCC6-DDB9-4EE0-95AB-B10D1DECE6AE} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    windev-33bc-38c1: \??\C:\WINDOWS\System32\windev-33bc-38c1.sys (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
    Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\Documents and Settings\Stephanie\Local Settings\temp\hpodvd09.log||C:\Documents and Settings\Stephanie\Local Settings\temp\~DF5D4E.tmp||C:\Documents and Settings\Stephanie\Local Settings\temp\~DFC87B.tmp||C:\Documents and Settings\Stephanie\Cookies\index.dat||C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\LocalService\cookies\index.dat||C:\Documents and Settings\Stephanie\Local Settings\temp\hpodvd09.log||C:\Documents and Settings\Stephanie\Local Settings\temp\~DF5D4E.tmp||C:\Documents and Settings\Stephanie\Local Settings\temp\~DFC87B.tmp||C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Stephanie\cookies\index.dat


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *No values found*

    --------------------------------------------------

    End of report, 31,742 bytes
    Report generated in 0.375 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
    BillB,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...