1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

antispynetwork pop up will not go away

Discussion in 'Virus & Other Malware Removal' started by userme, Aug 6, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    I have tried to follow another thread on htis but do not have that experience with the software you discussed ( I am reading all I can at this point). The Antispynet just will not die. I have purchased the Webroot sweeper and ran it multiple times and it always finds something. I guess the trojan is replicating?

    Anyway can you help me kill this off?

    Thanks
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Hi and welcome to TSG,

    Please do this:

    Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    Thanks, I'll post the log below. I think I killed off the main issue by using some other posting advice here on how to remove stuff. However, the issue I have now is that my IE loads but cannot load pages (I am using Firefox for now), and I also get 2 messages from Webroot at start-up that its blocking access to 1001NIGHT.BIZ and 1800TAXFREE.COM and would like to erradicate those...

    Logfile of HijackThis v1.99.1
    Scan saved at 9:29:08 PM, on 8/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\MSI\[email protected] Plus\TVR\Scheduled.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUME~1\DAVEBE~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [Omnipage] "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [PVR Agent] "C:\Program Files\MSI\[email protected] Plus\TVR\Scheduled.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094240006607
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124035977226
    O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Please do not do anything other than what is instructed.

    What exactly did you do?
     
  5. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    Well I downloaded and used the Smitfraud fix utility. I ran the utility an got my log and saw a bunch of malicious websites listed. I went to safe mode and ran the utility and deleted the files it suggested. After that the "Antispynetwork" popups stoped but just now causes IE not to find any sites (as if its not connected).
    Hope this helps.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  7. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    This is the report after running the utility

    SmitFraudFix v2.81

    Scan done at 22:02:54.28, Sun 08/06/2006
    Run from C:\Documents and Settings\Dave Beckett\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dave Beckett\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVEBE~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    As I said IE is not working and thus Panda does not work on Firefox.
    Logs for EWIDO

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:11:01 PM 8/7/2006

    + Scan result:



    C:\Program Files\Internet Explorer\lock.exe -> Downloader.Delf.ang : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\nvrfqpgj.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\odrnkovx.exe -> Downloader.Small.djm : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\yyiakgnu.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\vwykgrmk.hde -> Hijacker.Small.js : Cleaned with backup (quarantined).
    :mozilla.27:C:\Documents and Settings\Dave Beckett\Application Data\Mozilla\Firefox\Profiles\83v4cmep.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\Documents and Settings\Cori\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
    C:\Documents and Settings\Cori\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
    C:\Documents and Settings\Cori\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
    C:\Documents and Settings\Cori\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).


    ::Report end
     
  9. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    New Hijack this log

    Logfile of HijackThis v1.99.1
    Scan saved at 8:26:03 PM, on 8/7/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\MSI\[email protected] Plus\TVR\Scheduled.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUME~1\DAVEBE~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [Omnipage] "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [PVR Agent] "C:\Program Files\MSI\[email protected] Plus\TVR\Scheduled.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094240006607
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124035977226
    O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  10. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    Hope you will still be able to assist me....
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  12. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...
    Umonitor 7/11/2006 4:19:18 PM 41904 C:\WINDOWS\pxinstall_log.txt

    Checking %System% folder...
    UPX! 9/1/2004 7:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
    PEC2 8/23/2001 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    UPX! 1/4/2003 5:42:32 PM 67072 C:\WINDOWS\SYSTEM32\dtssource.ax
    PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    UPX! 8/1/2006 4:29:58 PM 7425 C:\WINDOWS\SYSTEM32\lgslcecc.exe
    aspack 7/6/2006 6:21:46 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    UPX! 8/6/2006 1:17:54 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
    UPX! 8/6/2006 1:17:54 PM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
    UPX! 8/6/2006 1:17:54 PM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
    winsync 8/23/2001 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
    127.0.0.1 generic.vpptechnologies.com
    127.0.0.1 images2.vpptechnologies.com
    127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
    127.0.0.1 msxml.vpptechnologies.com
    127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
    127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
    127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
    127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
    127.0.0.1 ad-behavior.com
    127.0.0.1 u.ad-behavior.com #[Trojan-Downloader.Win32.Qoologic.i]
    127.0.0.1 u.ad-behavior.com #[Trojan-Downloader.Win32.Qoologic.i]
    127.0.0.1 www.ad-behavior.com
    127.0.0.1 u.clkoptimizer.com #[Trojan-Downloader.Win32.Qoologic.f]
    127.0.0.1 qoologic.com
    127.0.0.1 adsrv.qoologic.com
    127.0.0.1 updates.qoologic.com #[TROJ_NARRATOR.A]
    127.0.0.1 www.qoologic.com
    127.0.0.1 urllogic.com
    127.0.0.1 s.urllogic.com
    127.0.0.1 u.urllogic.com #[Win32/TrojanDownloader.Qoologic]
    127.0.0.1 u.urllogic.com #[Win32/TrojanDownloader.Qoologic]
    127.0.0.1 www.urllogic.com
    127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede]
    127.0.0.1 www.ad-w-a-r-e.com
    127.0.0.1 abetterinternet.com #[Downloader.Stubby.A]
    127.0.0.1 belt.abetterinternet.com
    127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
    127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
    127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
    127.0.0.1 s.abetterinternet.com
    127.0.0.1 st.abetterinternet.com
    127.0.0.1 static.abetterinternet.com
    127.0.0.1 thinstall.abetterinternet.com
    127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]

    qoologic 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
    PTech 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
    urllogic 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
    ad-beh 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
    SAHAgent 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
    abetterinternet.com 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new
    ad-w-a-r-e.com 6/28/2006 6:49:10 PM 268562 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.new

    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    8/8/2006 8:41:56 PM S 2048 C:\WINDOWS\bootstat.dat
    8/6/2006 9:44:10 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
    8/6/2006 9:44:10 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
    8/6/2006 9:44:10 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
    8/6/2006 9:44:10 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
    8/6/2006 9:44:10 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
    8/8/2006 8:30:56 PM H 48883 C:\WINDOWS\system32\vsconfig.xml
    8/6/2006 9:44:10 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
    7/24/2006 4:43:38 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
    7/7/2006 12:03:30 AM S 10690 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914440.cat
    6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    8/8/2006 8:42:12 PM H 12288 C:\WINDOWS\system32\config\default.LOG
    8/8/2006 8:42:18 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    8/8/2006 8:41:56 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
    8/8/2006 8:43:02 PM H 90112 C:\WINDOWS\system32\config\software.LOG
    8/8/2006 8:42:20 PM H 954368 C:\WINDOWS\system32\config\system.LOG
    8/6/2006 9:00:42 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    6/23/2006 12:46:10 PM S 341 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\303572DF538EDD8B1D606185F1D559B8
    6/23/2006 12:46:14 PM S 413 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\79841F8EF00FBA86D33CC5A47696F165
    6/23/2006 12:46:10 PM S 574 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5
    6/23/2006 12:46:10 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\303572DF538EDD8B1D606185F1D559B8
    6/23/2006 12:46:14 PM S 98 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\79841F8EF00FBA86D33CC5A47696F165
    6/23/2006 12:46:10 PM S 136 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\904590238400AD963F77FAAAADC9BAB5
    8/6/2006 7:30:20 PM RHS 268562 C:\WINDOWS\system32\drivers\etc\hosts
    6/14/2006 4:47:34 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\eca4d48b-c919-4f96-a40e-dfc30fb33a37
    6/14/2006 4:47:34 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
    8/8/2006 8:40:34 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    5/25/2004 8:06:58 AM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Realtek Semiconductor Corp. 6/18/2004 4:32:34 PM 15684608 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
    Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    4/30/2001 4:51:00 AM 98304 C:\WINDOWS\SYSTEM32\Avsmcpa.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
    Microsoft Corporation 8/23/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    Microsoft Corporation 8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
    Realtek Semiconductor Corp. 6/18/2004 4:32:34 PM 15684608 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\ALSNDMGR.CPL

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    6/7/2006 5:16:40 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    9/3/2004 12:10:12 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    9/3/2004 2:02:18 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    9/3/2004 4:53:08 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
    4/22/2005 10:56:00 AM 12 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
    3/6/2005 1:00:56 PM 12 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
    7/28/2006 8:01:40 AM 2556 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

    Checking files in %USERPROFILE%\Startup folder...
    9/3/2004 12:10:12 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    9/3/2004 4:53:08 AM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} =
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
    {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
    Windows Live Sign-in Helper = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\Shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}
    MenuText = @xpsp3res.dll,-20001 :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\Browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Omnipage "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
    SoundMan SOUNDMAN.EXE
    RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    SunJavaUpdateSched "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
    PVR Agent "C:\Program Files\MSI\[email protected] Plus\TVR\Scheduled.exe"
    NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
    iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Zone Labs Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    !ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
    {17492023-C23A-453E-A040-C7C580BBF700} 1

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 8/9/2006 2:46:35 AM
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
  14. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    This?

    ast file scanned at least one scanner reported something about: VLLite150.zip, detected by:

    Scanner Malware name
    AntiVir X
    ArcaVir X
    Avast Win32:Agent-XW
    AVG Antivirus PSW.Banker.25.S
    BitDefender X
    ClamAV X
    Dr.Web Trojan.Peflog.30
    F-Prot Antivirus X
    Fortinet Keylog/PerfLogger
    Kaspersky Anti-Virus not-a-virus:Monitor.Win32.Perflogger.al
    NOD32 X
    Norman Virus Control W32/Banker.VQR
    UNA X
    VirusBuster X
    VBA32 Trojan.Peflog.30
     
  15. userme

    userme Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    24
    opened the page again and got this

    Last file scanned at least one scanner reported something about: tibialuz5[1].1.zip, detected by:

    Scanner Malware name
    AntiVir Trojan/Virtl.Elirt.A.1
    ArcaVir X
    Avast X
    AVG Antivirus X
    BitDefender Virtool.Elirt.A
    ClamAV X
    Dr.Web X
    F-Prot Antivirus X
    Fortinet X
    Kaspersky Anti-Virus X
    NOD32 X
    Norman Virus Control X
    UNA X
    VirusBuster X
    VBA32 X
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/490070

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice