1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Computer infected - Kenrnels88.exe

Discussion in 'Virus & Other Malware Removal' started by r01axb, Feb 14, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    Hello, I noticed my computer was running real slow and kept getting firewall alerts, a program named Kenrnels88.exe was trying to access the net, I tried to run task manager to stop it but received an error message: task manger has been disabled by administrator, I tried to run Ad-Aware but every time I do my computer shuts down. So far I've deleted Kenrnels88.exe, KaZaALite, win32.exe from temp folder, scanned with Panda, Spybot in safe mode. Thank you in advance. Here are my Panda and hijackthis logs:



    Adware:Adware/Adsmart
    Not disinfected
    C:\Documents and Settings\a\LocalSettings\Temp\win32.exe
    Potentially unwanted tool:Application/BrilliantDigital
    Not disinfected
    C:\Program Files\KaZaALite\bdcore.dll
    Virus:Trj/Goldun.NN Disinfected C:\WINDOWS\gif.exe
    Virus:Trj/Goldun.NN Disinfected C:\WINDOWS\system32\bt848rom.dll
    Virus:Trj/Goldun.NN Disinfected C:\WINDOWS\system32\k53lock.sys
    Virus:Trj/Downloader.LFO Disinfected C:\WINDOWS\system32\tmp_5.dll ----------------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 2:56:57 PM, on 2/14/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Easy Keyboard NT\Easykey.exe
    C:\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:MyHomePage
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 205.238.40.1 winmx.com
    O1 - Hosts: 205.238.40.1 www.winmx.com
    O1 - Hosts: 205.238.40.1 err.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\System32\BhoSSafe.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard NT\Easykey.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_5.dll
    O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)
    O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  3. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    "Administrator" - 07-02-14 16:22:04 Service Pack 1
    ComboFix 07-02-11 - Running from: "C:\Documents and Settings\a\Desktop"

    ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


    Granting SeDebugPrivilege to Administrators ... successful


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\dlh9jkd1q8.exe
    C:\INSTALL.LOG


    ((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 ))))))))))))))))))))))))))))))))))


    2007-02-14 16:02 <DIR> d-------- C:\Program Files\SpywareBlaster
    2007-02-14 14:52 <DIR> d-------- C:\hijackthis
    2007-02-14 12:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
    2007-02-14 01:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
    2007-02-14 01:26 12,288 -r-h----- C:\WINDOWS\system32\svch6.exe
    2007-01-29 12:09 <DIR> d-------- C:\Program Files\eBay


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-14 13:53 -------- d-------- C:\Program Files\total uninstall
    2007-02-14 13:25 -------- d-------- C:\Program Files\easy keyboard nt
    2007-02-14 03:10 -------- d-------- C:\Program Files\avpersonal
    2007-01-29 12:10 -------- d--h----- C:\Program Files\installshield installation information
    2007-01-16 15:46 -------- d-------- C:\Program Files\mightyfax
    2007-01-13 04:07 -------- d-------- C:\Program Files\ypops
    2007-01-08 16:13 49152 -ra------ C:\WINDOWS\system32\inetwh32.dll
    2007-01-08 16:13 1044480 -ra------ C:\WINDOWS\system32\roboex32.dll
    2007-01-01 02:50 22768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
    2006-12-24 15:21 -------- d-------- C:\Program Files\winamp
    2006-12-15 00:05 -------- d-------- C:\Program Files\shopsafe


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
    "Easykey"="C:\\Program Files\\Easy Keyboard NT\\Easykey.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wscsvc"=dword:00000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "appinit_dlls"="C:\WINDOWS\System32\tmp_5.dll"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoFind"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyDocs"=dword:00000001
    "NoRecentDocsMenu"=dword:00000001
    "NoFavoritesMenu"=dword:00000001
    "NoSMHelp"=dword:00000001
    "NoSMMyPictures"=dword:00000001
    "NoStartMenuMyMusic"=dword:00000001
    "NoStartMenuNetworkPlaces"=dword:00000001
    "StartMenuLogOff"=dword:00000001
    "NoRecentDocsHistory"=dword:00000001
    "ClearRecentDocsOnExit"=dword:00000001
    "Intellimenus"=dword:00000001
    "NoInstrumentation"=dword:00000001
    "NoTaskGrouping"=dword:00000001
    "NoAutoTrayNotify"=dword:00000001
    "NoSMBalloonTip"=dword:00000001
    "NoStartMenuMFUprogramsList"=dword:00000001
    "NoUserNameInStartMenu"=dword:00000001
    " NoSharedDocuments "=dword:00000001
    "NoSharedDocuments"=dword:00000001
    "NoLowDiskSpaceChecks"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Advanced]
    "DisableThumbnailCache"=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bt848rom

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\$~$Sys0$.job


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-02-14 16:27:05
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Download the HostsXpert - Hosts File Manager.
    • Unzip HostsXpert - Hosts File Manager to a convenient folder such as C:\HostsXpert - Hosts File Manager
    • Run HostsXpert - Hosts File Manager from its new home
    • Click "Make Hosts Writable?" in the upper right corner (If available).
    • Click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
    then
    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 205.238.40.1 winmx.com
    O1 - Hosts: 205.238.40.1 www.winmx.com
    O1 - Hosts: 205.238.40.1 err.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_5.dll
    O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)

    now Start killbox, paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NO to reboot now
    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\WINDOWS\system32\svch6.exe

    Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

    then reboot

    post fresh HJT log & tell us how it is
     
  5. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    Logfile of HijackThis v1.99.1
    Scan saved at 5:45:12 PM, on 2/14/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Easy Keyboard NT\Easykey.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:MyHomePage
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\System32\BhoSSafe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard NT\Easykey.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    * Run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.

    Post a new HiJackThis log along with the results from Kaspersky scan

    * Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

    Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

    You must use IE for the scan to work
     
  7. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, February 15, 2007 1:32:51 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 15/02/2007
    Kaspersky Anti-Virus database records: 253117
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 27448
    Number of viruses found: 1
    Number of infected objects: 1 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 01:04:04

    Infected Object Name / Virus Name / Last Action
    C:\!KillBox\svch6.exe Infected: Trojan-Downloader.Win32.Agent.rm skipped
    C:\Documents and Settings\a\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\a\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\a\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\a\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\a\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\a\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\a\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
    C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
    C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
    C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
    C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped

    Scan process completed.


    ---------------------------------------------------------------------------------


    Logfile of HijackThis v1.99.1
    Scan saved at 1:40:00 AM, on 2/15/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Easy Keyboard NT\Easykey.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:MyHomePage
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\System32\BhoSSafe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard NT\Easykey.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{33D6F203-9875-4527-B417-A45F72072A58}: NameServer = 69.72.64.2 69.72.0.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{33D6F203-9875-4527-B417-A45F72072A58}: NameServer = 69.72.64.2 69.72.0.2
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    ---------------------------------------------------------------------------------

    Uninstall Manager List


    AbiWord 2.0.2 (remove only)
    Ad-Aware SE Personal
    Adobe Flash Player 9 ActiveX
    Adobe Reader 6.0.1
    Agent Ransack Version 1.7.3
    AntiVir/XP
    ATI Display Driver
    CCleaner (remove only)
    CDScan
    Check Printer 5.6
    DirectX 9 Hotfix - KB839643
    DivX 5.0.2 Bundle
    Easy Mail for Windows 95/98/00/ME/NT/XP
    EasyKeyboard 5000(A)
    FreshDownload
    HijackThis 1.99.1
    HP Deskjet 3840
    HP Software Update
    ieSpell 2.0.1 (build 325)
    iPod for Windows 2006-06-28
    iTunes
    Java 2 Runtime Environment, SE v1.4.2_03
    Kaspersky Online Scanner
    Microsoft Data Access Components KB870669
    Microsoft Money 2003
    Microsoft Money 2003 System Pack
    MightyFax
    Motorola Driver Installation
    Motorola PST
    Nero - Burning Rom (Web installer)
    Panda ActiveScan
    PrintKey2000
    Python 2.4.2
    QuickTime
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896426)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB901214)
    ShopSafe
    Siemens Data Suite
    Spell Checker For OE 2.1
    Spy Sweeper
    Spybot - Search & Destroy 1.4
    SpywareBlaster v3.5.1
    Sygate Personal Firewall
    Total Uninstall 2.31
    Turbo Lister 2
    Update for Windows XP (KB898461)
    USB Data Cable
    WIBU-KEY Setup (WIBU-KEY Remove)
    Winamp (remove only)
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows Media Player Hotfix [See Q828026 for more information]
    Windows Support Tools
    Windows XP Hotfix - KB823182
    Windows XP Hotfix - KB824105
    Windows XP Hotfix - KB824141
    Windows XP Hotfix - KB825119
    Windows XP Hotfix - KB826939
    Windows XP Hotfix - KB828028
    Windows XP Hotfix - KB828035
    Windows XP Hotfix - KB828741
    Windows XP Hotfix - KB835732
    Windows XP Hotfix - KB837001
    Windows XP Hotfix - KB839645
    Windows XP Hotfix - KB840315
    Windows XP Hotfix - KB840374
    Windows XP Hotfix - KB841873
    Windows XP Hotfix - KB842773
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB892944
    Windows XP Hotfix - KB893086
    Windows XP Hotfix - KB896727
    Windows XP Hotfix - KB897715
    Windows XP Hotfix (SP2) Q814560
    Windows XP Hotfix (SP2) Q816843
    Windows XP Hotfix (SP2) Q819696
    WinMX
    WinRAR archiver
    YPOPs! 0.8.6.2
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    are you running in safe mode as I can't see any sign of your antivirus running because otherwise the malware has disabled it


    lets see what this shows as kaspersky was clear

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click All
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click Non-Microsoft
      • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select Non-Microsoft
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  9. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    WinPFind3 logfile created on: 2/15/2007 3:53:40 PM
    WinPFind3U by OldTimer - Version 1.0.18 Folder = C:\Documents and Settings\a\Desktop\WinPFind3u\
    Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
    Internet Explorer (Version = 6.0.2800.1106)

    261620 Kb Total Physical Memory | 102456 Kb Available Physical Memory | 39.16% Memory free
    630872 Kb Paging File | 522908 Kb Available in Paging File | 82.89% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0;

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 30017420 Kb Total Space | 23957916 Kb Free Space | 79.81% Space Free
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded


    [Processes - All]
    smss.exe -> %System32%\smss.exe -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 45568 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    csrss.exe -> %System32%\csrss.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 4096 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    winlogon.exe -> %System32%\winlogon.exe -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 516608 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    services.exe -> %System32%\services.exe -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 101376 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    lsass.exe -> %System32%\lsass.exe -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 11776 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\rpcss.dll [RpcSs] -> Microsoft Corporation [Ver = 5.1.2600.1619 (xpsp2.041130-1838) | Size = 284672 bytes | Modified Date = 1/14/2005 12:33:52 AM | Attr = ]
    smc.exe -> %ProgramFiles%\Sygate\SPF\Smc.exe -> Sygate Technologies, Inc. [Ver = 5.5.00.2710 | Size = 2532576 bytes | Modified Date = 8/13/2004 6:05:56 PM | Attr = ]
    explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2800.1106 (xpsp1.020828-1920) | Size = 1004032 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    spoolsv.exe -> %System32%\spoolsv.exe -> Microsoft Corporation [Ver = 5.1.2600.1699 (xpsp2.050610-1533) | Size = 53248 bytes | Modified Date = 6/10/2005 6:55:46 PM | Attr = ]
    svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\appmgmts.dll [AppMgmt] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 156672 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\audiosrv.dll [AudioSrv] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 38912 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\qmgr.dll [BITS] -> Microsoft Corporation [Ver = 6.6.2600.1569 (xpsp2_gdr.040517-1325) | Size = 361984 bytes | Modified Date = 7/1/2004 5:08:18 PM | Attr = ]
    -> %System32%\cryptsvc.dll [CryptSvc] -> Microsoft Corporation [Ver = 5.1.2600.1190 (xpsp2.030320-1720) | Size = 53760 bytes | Modified Date = 3/25/2003 7:40:14 PM | Attr = ]
    -> %System32%\dhcpcsvc.dll [Dhcp] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 99840 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\dmserver.dll [dmserver] -> Microsoft Corp. [Ver = 2600.0.503.0 | Size = 21504 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\ersvc.dll [ERSvc] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 19456 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\es.dll [EventSystem] -> Microsoft Corporation [Ver = 2001.12.4414.53 | Size = 226816 bytes | Modified Date = 3/5/2004 9:16:12 PM | Attr = ]
    -> %System32%\shsvcs.dll [FastUserSwitchingCompatibility] -> Microsoft Corporation [Ver = 6.00.2800.1605 (xpsp2.040919-1003) | Size = 116736 bytes | Modified Date = 10/27/2004 8:29:54 PM | Attr = ]
    -> %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll [helpsvc] -> File not found
    -> %System32%\hidserv.dll [HidServ] -> File not found
    -> %System32%\netman.dll [Netman] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 154112 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\mswsock.dll [Nla] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 228352 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\ntmssvc.dll [NtmsSvc] -> Microsoft Corporation [Ver = 5.1.2400.1106 | Size = 392704 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\rasauto.dll [RasAuto] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 82944 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\rasmans.dll [RasMan] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 158720 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\mprdim.dll [RemoteAccess] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 49152 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\schedsvc.dll [Schedule] -> Microsoft Corporation [Ver = 5.1.2600.1564 (xpsp2_gdr.040517-1325) | Size = 172544 bytes | Modified Date = 6/8/2004 5:02:22 PM | Attr = ]
    -> %System32%\seclogon.dll [seclogon] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 20992 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\sens.dll [SENS] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 36352 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\ipnathlp.dll [SharedAccess] -> Microsoft Corporation [Ver = 5.1.2600.1364 (xpsp2.040109-1800) | Size = 439808 bytes | Modified Date = 3/29/2004 8:48:36 PM | Attr = ]
    -> %System32%\shsvcs.dll [ShellHWDetection] -> Microsoft Corporation [Ver = 6.00.2800.1605 (xpsp2.040919-1003) | Size = 116736 bytes | Modified Date = 10/27/2004 8:29:54 PM | Attr = ]
    -> %System32%\srsvc.dll [srservice] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 158720 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\tapisrv.dll [TapiSrv] -> Microsoft Corporation [Ver = 5.1.2600.1715 (xpsp2.050706-1530) | Size = 238592 bytes | Modified Date = 7/8/2005 11:09:48 AM | Attr = ]
    -> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 200192 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\termsrv.dll [TermService] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 200192 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\shsvcs.dll [Themes] -> Microsoft Corporation [Ver = 6.00.2800.1605 (xpsp2.040919-1003) | Size = 116736 bytes | Modified Date = 10/27/2004 8:29:54 PM | Attr = ]
    -> %System32%\trkwks.dll [TrkWks] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 81920 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll [uploadmgr] -> File not found
    -> %System32%\w32time.dll [W32Time] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 165376 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\wbem\WMIsvc.dll [winmgmt] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 101376 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\mspmsnsv.dll [WmdmPmSN] -> Microsoft Corporation [Ver = 9.0.1.56 | Size = 52224 bytes | Modified Date = 11/26/2002 6:03:32 PM | Attr = ]
    -> %System32%\advapi32.dll [Wmi] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 558080 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\wuauserv.dll [wuauserv] -> Microsoft Corporation [Ver = 5.4.3630.1106 (xpsp1.020828-1920) | Size = 9216 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\wzcsvc.dll [WZCSVC] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 264704 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    avp.exe -> %ProgramFiles%\AOL\Active Virus Shield\avp.exe -> AOL [Ver = 6.0.0.299 | Size = 139367 bytes | Modified Date = 5/30/2006 11:13:24 AM | Attr = ]
    svchost.exe -> %System32%\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC] -> Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 12800 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    -> %System32%\wiaservc.dll [stisvc] -> Microsoft Corporation [Ver = 5.1.2600.1106 (xpsp1.020828-1920) | Size = 316416 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    easykey.exe -> %ProgramFiles%\Easy Keyboard NT\EasyKey.exe -> Polypix Inc. [Ver = 1.0 | Size = 827392 bytes | Modified Date = 12/28/1999 1:58:32 PM | Attr = ]
    avp.exe -> %ProgramFiles%\AOL\Active Virus Shield\avp.exe -> AOL [Ver = 6.0.0.299 | Size = 139367 bytes | Modified Date = 5/30/2006 11:13:24 AM | Attr = ]
    sgmain.exe -> %ProgramFiles%\SpywareGuard\sgmain.exe -> [Ver = 2.02.0001 | Size = 360448 bytes | Modified Date = 8/29/2003 7:05:36 PM | Attr = ]
    sgbhp.exe -> %ProgramFiles%\SpywareGuard\sgbhp.exe -> [Ver = 2.02.0001 | Size = 233472 bytes | Modified Date = 8/29/2003 11:14:58 AM | Attr = ]
    winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.18.0 | Size = 308736 bytes | Modified Date = 2/12/2007 9:39:14 PM | Attr = ]

    [Win32 Services - Non-Microsoft Only]
    (AVP) Active Virus Shield [Win32_Own | Auto | Running] -> %ProgramFiles%\AOL\Active Virus Shield\avp.exe -> AOL [Ver = 6.0.0.299 | Size = 139367 bytes | Modified Date = 5/30/2006 11:13:24 AM | Attr = ]
    (dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (FreePOPs) FreePOPs [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\FreePOPs\freepopsservice.exe -> File not found
    (IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/3/2005 11:41:10 PM | Attr = ]
    (iPodService) iPodService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 323584 bytes | Modified Date = 6/14/2006 3:23:58 PM | Attr = ]
    (SmcService) Sygate Personal Firewall [Win32_Own | Auto | Running] -> %ProgramFiles%\Sygate\SPF\Smc.exe -> Sygate Technologies, Inc. [Ver = 5.5.00.2710 | Size = 2532576 bytes | Modified Date = 8/13/2004 6:05:56 PM | Attr = ]

    [Driver Services - Non-Microsoft Only]
    (Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
    (abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
    (ACPI) ACPI [Kernel | Disabled | Stopped] -> -> File not found
    (ACPIEC) ACPIEC [Kernel | Disabled | Stopped] -> -> File not found
    (adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
    (Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
    (aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
    (aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
    (AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
    (amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
    (asc) asc [Kernel | Disabled | Stopped] -> -> File not found
    (asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
    (asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
    (Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
    (ati2mpad) ati2mpad [Kernel | On_Demand | Running] -> %System32%\drivers\ati2mpad.sys -> ATI Technologies Inc. [Ver = 5.10.2600.6010 built by: jlu | Size = 303360 bytes | Modified Date = 2/18/2002 1:19:46 PM | Attr = ]
    (ati2mtaa) ati2mtaa [Kernel | On_Demand | Stopped] -> system32\DRIVERS\ati2mtaa.sys -> File not found
    (atirage3) atirage3 [Kernel | On_Demand | Stopped] -> %System32%\drivers\atimpae.sys -> ATI Technologies Inc. [Ver = 5.1.2493.0 (Lab01_N(ericks).010612-1818) | Size = 75136 bytes | Modified Date = 8/17/2001 7:49:00 AM | Attr = ]
    (avgntdw) avgntdw [Kernel | On_Demand | Stopped] -> %ProgramFiles%\AVPERSONAL\AVGNTDW.SYS -> File not found
    (basic2) basic2 [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_BSC2.sys -> Conexant [Ver = 3.05.12.04 | Size = 67167 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
    (Changer) Changer [Kernel | System | Stopped] -> -> File not found
    (CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
    (Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
    (cwcspud) Crystal SoundFusion(tm) Driver [Kernel | On_Demand | Running] -> %System32%\drivers\cwcspud.sys -> Crystal Semiconductor Corp. [Ver = 5.1.2501.0 built by: WinDDK | Size = 111872 bytes | Modified Date = 8/17/2001 12:19:36 PM | Attr = ]
    (cwcwdm) Crystal SoundFusion(tm) WDM Driver [Kernel | On_Demand | Running] -> %System32%\drivers\cwcwdm.sys -> Crystal Semiconductor Corp. [Ver = 5.2.3663.0 built by: WinDDK | Size = 94976 bytes | Modified Date = 12/18/2002 1:22:26 PM | Attr = ]
    (dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
    (dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 780928 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 146304 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
    (Fallback) Fallback [Kernel | Auto | Running] -> %System32%\drivers\HSF_FALL.sys -> Conexant [Ver = 3.05.12.04 | Size = 289887 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (Fsks) Fsks [Kernel | Auto | Running] -> %System32%\drivers\HSF_FSKS.sys -> Conexant [Ver = 3.05.12.04 | Size = 115807 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
    (HSFHWBS2) HSFHWBS2 [Kernel | On_Demand | Stopped] -> System32\DRIVERS\HSFBS2S2.sys -> File not found
    (HSF_DP) HSF_DP [Kernel | On_Demand | Stopped] -> System32\DRIVERS\HSFDPSP2.sys -> File not found
    (hsf_msft) hsf_msft [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_MSFT.sys -> Conexant [Ver = 3.05.12.06 | Size = 542879 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (HTTP) HTTP [Kernel | On_Demand | Stopped] -> System32\Drivers\HTTP.sys -> File not found
    (i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
    (i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
    (ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
    (ip6fw) IPv6 Windows Firewall Driver [Kernel | On_Demand | Stopped] -> system32\drivers\ip6fw.sys -> File not found
    (k53lock) VMemory protect [Kernel | System | Stopped] -> %System32%\k53lock.sys -> File not found
    (K56) K56 [Kernel | Auto | Running] -> %System32%\drivers\HSF_K56K.sys -> Conexant [Ver = 3.05.12.04 | Size = 391199 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (kl1) kl1 [Kernel | Boot | Running] -> %System32%\drivers\kl1.sys -> Kaspersky Lab [Ver = 6.0.15.229 | Size = 20699 bytes | Modified Date = 2/13/2006 3:24:10 PM | Attr = ]
    (klif) klif [Kernel | System | Running] -> %System32%\drivers\klif.sys -> Kaspersky Lab [Ver = 6.12.10.233 | Size = 171792 bytes | Modified Date = 8/24/2006 6:23:24 PM | Attr = ]
    (lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
    (mdmxsdk) mdmxsdk [Kernel | Auto | Stopped] -> System32\DRIVERS\mdmxsdk.sys -> File not found
    (MotoSwitchService) MotoSwitch Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\motswch.sys -> Motorola INC. [Ver = 1.0.0.0 | Size = 5632 bytes | Modified Date = 6/8/2006 6:55:50 PM | Attr = ]
    (mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
    (P2k) Motorola USB Device [Kernel | On_Demand | Stopped] -> %System32%\drivers\P2k.sys -> Motorola Inc [Ver = 2.3 | Size = 40960 bytes | Modified Date = 7/28/2006 8:10:18 AM | Attr = ]
    (PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
    (PCIIde) PCIIde [Kernel | Disabled | Stopped] -> -> File not found
    (PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
    (PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
    (PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
    (PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
    (perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
    (perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
    (Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
    (Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
    (ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
    (ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
    (ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
    (Rksample) Rksample [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_SAMP.sys -> Conexant [Ver = 3.05.12.05 | Size = 57471 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
    (slabbus) USB Data Cable driver (WDM) [Kernel | On_Demand | Stopped] -> %System32%\drivers\slabbus.sys -> MCCI [Ver = V4.19c | Size = 51040 bytes | Modified Date = 8/9/2004 12:44:40 AM | Attr = RH ]
    (slabser) USB Data Cable Drivers [Kernel | On_Demand | Stopped] -> %System32%\drivers\slabser.sys -> MCCI [Ver = V4.19c | Size = 82768 bytes | Modified Date = 8/9/2004 12:44:40 AM | Attr = RH ]
    (SoftFax) SoftFax [Kernel | Auto | Running] -> %System32%\drivers\HSF_FAXX.sys -> Conexant [Ver = 3.05.12.04 | Size = 199711 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
    (symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
    (symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
    (sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
    (sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
    (Teefer) Teefer for NT [Kernel | Boot | Running] -> %System32%\drivers\Teefer.sys -> Sygate Technologies, Inc. [Ver = 1.60.1101 | Size = 59984 bytes | Modified Date = 8/10/2004 3:51:30 PM | Attr = ]
    (Tones) Tones [Kernel | Auto | Running] -> %System32%\drivers\HSF_TONE.sys -> Conexant [Ver = 3.05.12.04 | Size = 50751 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
    (ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
    (V124) V124 [Kernel | Auto | Running] -> %System32%\drivers\HSF_V124.sys -> Conexant [Ver = 3.05.12.04 | Size = 488383 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    (ViaIde) ViaIde [Kernel | Disabled | Stopped] -> -> File not found
    (vsdatant) vsdatant [Kernel | Disabled | Stopped] -> -> File not found
    (WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
    (wg3n) SyGate for NT, wg3n [Kernel | Auto | Running] -> %System32%\drivers\wg3n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1222 | Size = 14240 bytes | Modified Date = 8/10/2004 4:05:42 PM | Attr = ]
    (wg4n) SyGate for NT, wg4n [Kernel | Auto | Running] -> %System32%\drivers\wg4n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1222 | Size = 14240 bytes | Modified Date = 8/10/2004 4:05:42 PM | Attr = ]
    (wg5n) SyGate for NT, wg5n [Kernel | Auto | Running] -> %System32%\drivers\wg5n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1222 | Size = 14240 bytes | Modified Date = 8/10/2004 4:05:42 PM | Attr = ]
    (wg6n) SyGate for NT, wg6n [Kernel | Auto | Running] -> %System32%\drivers\wg6n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1222 | Size = 14240 bytes | Modified Date = 8/10/2004 4:05:44 PM | Attr = ]
    (WIBUKEY) WIBU-KEY Kernel Driver [Kernel | Auto | Running] -> %System32%\drivers\Wibukey.sys -> WIBU-SYSTEMS AG [Ver = Version 3.10a of 2001-Nov-28 | Size = 67072 bytes | Modified Date = 12/27/2001 10:59:34 AM | Attr = ]
    (wpsdrvnt) wpsdrvnt [Kernel | System | Running] -> %System32%\drivers\wpsdrvnt.sys -> Sygate Technologies, Inc. [Ver = 1, 0, 0, 17 | Size = 21075 bytes | Modified Date = 8/10/2004 3:53:14 PM | Attr = ]
     
  10. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    [Registry - Non-Microsoft Only]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    -> -> File not found
    aol -> %ProgramFiles%\AOL\Active Virus Shield\avp.exe -> AOL [Ver = 6.0.0.299 | Size = 139367 bytes | Modified Date = 5/30/2006 11:13:24 AM | Attr = ]
    Easykey -> %ProgramFiles%\Easy Keyboard NT\EasyKey.exe -> Polypix Inc. [Ver = 1.0 | Size = 827392 bytes | Modified Date = 12/28/1999 1:58:32 PM | Attr = ]
    SmcService -> %ProgramFiles%\Sygate\SPF\Smc.exe -> Sygate Technologies, Inc. [Ver = 5.5.00.2710 | Size = 2532576 bytes | Modified Date = 8/13/2004 6:05:56 PM | Attr = ]
    < User Startup > -> C:\Documents and Settings\a\Start Menu\Programs\Startup
    %UserStartup%\SpywareGuard.lnk -> %ProgramFiles%\SpywareGuard\sgmain.exe -> [Ver = 2.02.0001 | Size = 360448 bytes | Modified Date = 8/29/2003 7:05:36 PM | Attr = ]
    < Disabled MSConfig Services [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
    wscsvc -> ->
    < Registry Shell Spawning > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command
    regfile [merge] -> Reg Data - Key not found ->
    scrfile [open] -> "%1" /S ->
    scrfile [config] -> "%1" ->
    Directory [Winamp.Bookmark] -> %ProgramFiles%\Winamp\winamp.exe -> Nullsoft [Ver = 2.80 | Size = 679424 bytes | Modified Date = 5/1/2002 2:53:52 PM | Attr = ]
    Directory [Winamp.Enqueue] -> %ProgramFiles%\Winamp\winamp.exe -> Nullsoft [Ver = 2.80 | Size = 679424 bytes | Modified Date = 5/1/2002 2:53:52 PM | Attr = ]
    Directory [Winamp.Play] -> %ProgramFiles%\Winamp\winamp.exe -> Nullsoft [Ver = 2.80 | Size = 679424 bytes | Modified Date = 5/1/2002 2:53:52 PM | Attr = ]
    CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> %programfiles%\internet explorer\iexplore.exe -> File not found
    *Command* -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\\Command ->
    NewLinkHere -> -> File not found
    %1 -> -> File not found
    *Command* -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\\Command ->
    Briefcase_Create -> -> File not found
    %2!d! -> -> File not found
    %1 -> -> File not found
    < ActiveX StubPath [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
    {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -> ->
    {22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> ->
    {2C7339CF-2B09-4501-B3F3-F3508C9228ED} -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll ->
    {44BBA840-CC51-11CF-AAFA-00AA00B6015C} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install ->
    {44BBA842-CC51-11CF-AAFA-00AA00B6015B} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT ->
    {4b218e3e-bc98-4770-93d3-2731b9329278} -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf ->
    {5945c046-1e7d-11d1-bc44-00c04fd912be} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser ->
    {6BF52A52-394A-11d3-B153-00C04F79FAA6} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub ->
    {7790769C-0471-11d2-AF11-00C04FA35D02} -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install ->
    {89820200-ECBD-11cf-8B85-00AA005B4340} -> regsvr32.exe /s /n /i:U shell32.dll ->
    {89820200-ECBD-11cf-8B85-00AA005B4383} -> %SystemRoot%\system32\ie4uinit.exe ->
    {8b15971b-5355-4c82-8c07-7e181ea07608} -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser ->
    {94de52c8-2d59-4f1b-883e-79663d2d9a8c} -> rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider ->
    >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP ->
    >{26923b43-4d38-484f-9b9e-de460746276c} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE ->
    >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP ->
    >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE ->
    < WOW Command Line [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
    *wowcmdline* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\\wowcmdline ->
    -a -> -> File not found
    < Session Manager Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    BootExecute -> autocheck autochk *; ->
    < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    {81559C35-8464-49F7-BB0E-07A383BEF910} [HKLM] -> %ProgramFiles%\SpywareGuard\spywareguard.dll [] -> [Ver = 2.02 | Size = 126976 bytes | Modified Date = 8/2/2003 11:20:58 PM | Attr = R ]
    < SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
    < Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    *VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
    Control_RunDLL -> -> File not found
    < Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    < Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\\NoDriveTypeAutoRun -> -1124073472 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFind -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 181 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
    < Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 181 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMMyDocs -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsMenu -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFavoritesMenu -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMHelp -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMMyPictures -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuMyMusic -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuNetworkPlaces -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\StartMenuLogOff -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsHistory -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ClearRecentDocsOnExit -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\Intellimenus -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoInstrumentation -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoTaskGrouping -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoAutoTrayNotify -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMBalloonTip -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuMFUprogramsList -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoUserNameInStartMenu -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ NoSharedDocuments -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSharedDocuments -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoLowDiskSpaceChecks -> 1 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\\DisableThumbnailCache -> 0 ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> ->
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ -> ->
    < Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
    0 -> [Key] ->
    0 -> FriendlyName = My Current Home Page ->
    0 -> Source = About:Home ->
    0 -> SubscribedURL = About:Home ->
    < HOSTS File > (424 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
    127.0.0.1 localhost -> ->
    127.0.0.1 pagead2.googlesyndication.com -> ->
    127.0.0.1 ad.doubleclick.net -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    127.0.0.1 -> ->
    < Internet Explorer Settings > ->
    HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
    HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
    HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
    HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
    HKLM: Start Page -> about:blank ->
    HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
    HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
    HKCU: Local Page -> C:\WINDOWS\SYSTEM32\blank.htm ->
    HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
    HKCU: Start Page -> about:MyHomePage ->
    HKCU: ProxyEnable -> 0 ->
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.1.2003110300 | Size = 54248 bytes | Modified Date = 11/3/2003 2:17:44 PM | Attr = ]
    {206E52E0-D52E-11D4-AD54-0000E86C26F6} [HKLM] -> %ProgramFiles%\FreshDevices\FreshDownload\fdcatch.dll [] -> FreshDevices Corp. [Ver = 3.5.0.0 | Size = 210432 bytes | Modified Date = 6/10/2003 1:21:52 PM | Attr = ]
    {333F6B96-3992-4D58-A499-145A10FE48C3} [HKLM] -> %System32%\BhoSSafe.dll [ShopSafeBrowserHelper Class] -> Orbiscom Ltd. All rights reserved. [Ver = 3, 5, 0, 0, 119 | Size = 139264 bytes | Modified Date = 10/20/2003 7:18:10 AM | Attr = ]
    {4A368E80-174F-4872-96B5-0B27DDD11DB2} [HKLM] -> %ProgramFiles%\SpywareGuard\dlprotect.dll [SpywareGuardDLBLOCK.CBrowserHelper] -> [Ver = 2.02 | Size = 192512 bytes | Modified Date = 8/2/2003 11:24:02 PM | Attr = R ]
    < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    {8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 11:01:28 AM | Attr = ]
    < Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8198 - Reg Data - Value does not exist ->
    {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -> 8193 - Reg Data - Value does not exist ->
    {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} -> 8194 - Reg Data - Key not found ->
    {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> 8195 - Reg Data - Key not found ->
    {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -> 8197 - Reg Data - Value does not exist ->
    {FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8196 - Reg Data - Key not found ->
    NextId -> 8197 ->
    < Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
    {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -> %ProgramFiles%\ieSpell\iespell.dll\SPELLCHECK.HTM [ButtonText: ieSpell] -> File not found
    {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -> Reg Data - Value does not exist [ButtonText: MoneySide] -> File not found
    < Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    {00020000-0000-1011-8004-0000C06B5161} [HKLM] -> %ProgramFiles%\WIBU-SYSTEMS\System\WibuShellExt.dll [WIBU-SYSTEMS Shell Extension] -> WIBU-SYSTEMS AG [Ver = Version 1.01 of 2001-Nov-28 | Size = 335872 bytes | Modified Date = 12/27/2001 11:02:12 AM | Attr = ]
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
    {2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} [HKLM] -> Reg Data - Key not found [Set Program Access and Defaults] -> File not found
    {42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> Reg Data - Key not found [Display Panning CPL Extension] -> File not found
    {596AB062-B4D2-4215-9F74-E9109B0A8153} [HKLM] -> Reg Data - Key not found [Previous Versions Property Page] -> File not found
    {764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
    {7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
    {81559C35-8464-49F7-BB0E-07A383BEF910} [HKLM] -> %ProgramFiles%\SpywareGuard\spywareguard.dll [] -> [Ver = 2.02 | Size = 126976 bytes | Modified Date = 8/2/2003 11:20:58 PM | Attr = R ]
    {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
    {88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    {9DB7A13C-F208-4981-8353-73CC61AE2783} [HKLM] -> Reg Data - Key not found [Previous Versions] -> File not found
    {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} [HKLM] -> %ProgramFiles%\iTunes\iTunesMiniPlayer.dll [iTunes] -> Apple Computer, Inc. [Ver = 6.0.5.20 | Size = 102400 bytes | Modified Date = 6/14/2006 3:35:34 PM | Attr = ]
    {ED65AB21-B24F-11d3-BA80-00C0CA16AA37} [HKLM] -> %ProgramFiles%\Siemens Data Suite\DES\DESShellExt.dll [Mobile] -> Siemens AG [Ver = 1, 2, 5, 65 | Size = 1773568 bytes | Modified Date = 3/15/2004 11:10:06 AM | Attr = ]
    {ED65AB22-B24F-11d3-BA80-00C0CA16AA37} [HKLM] -> %ProgramFiles%\Siemens Data Suite\DES\DESShellExt.dll [Mobile ContextMenuHandler] -> Siemens AG [Ver = 1, 2, 5, 65 | Size = 1773568 bytes | Modified Date = 3/15/2004 11:10:06 AM | Attr = ]
    {ED65AB23-B24F-11d3-BA80-00C0CA16AA37} [HKLM] -> %ProgramFiles%\Siemens Data Suite\DES\DESShellExt.dll [Mobile PropertySheetHandler] -> Siemens AG [Ver = 1, 2, 5, 65 | Size = 1773568 bytes | Modified Date = 3/15/2004 11:10:06 AM | Attr = ]
    < ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
    {dd230880-495a-11d1-b064-008048ec2fc5} [HKLM] -> %ProgramFiles%\AOL\Active Virus Shield\shellex.dll [Kaspersky Anti-Virus] -> Kaspersky Lab [Ver = 6.0.0.299 | Size = 45163 bytes | Modified Date = 5/25/2006 12:38:22 PM | Attr = ]
    < ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
    {6646F704-1528-4B5C-BAB7-176FA4B5F80A}} [HKLM] -> Reg Data - Key not found [AgentRansackHere] -> File not found
    < ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
    {dd230880-495a-11d1-b064-008048ec2fc5} [HKLM] -> %ProgramFiles%\AOL\Active Virus Shield\shellex.dll [Kaspersky Anti-Virus] -> Kaspersky Lab [Ver = 6.0.0.299 | Size = 45163 bytes | Modified Date = 5/25/2006 12:38:22 PM | Attr = ]
    < ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
    {00020000-0000-1011-8004-0000C06B5161} [HKLM] -> %ProgramFiles%\WIBU-SYSTEMS\System\WibuShellExt.dll [WIBU-SYSTEMS Shell Extension] -> WIBU-SYSTEMS AG [Ver = Version 1.01 of 2001-Nov-28 | Size = 335872 bytes | Modified Date = 12/27/2001 11:02:12 AM | Attr = ]
    < User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
    -> ->
    sv1 -> ->
    < Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
    cetihpz -> %ProgramFiles%\HP\hpcoretech\comp\hpuiprot.dll -> Hewlett-Packard Company [Ver = 2.1.4 | Size = 81920 bytes | Modified Date = 12/22/2003 8:38:40 AM | Attr = ]
    ipp -> Reg Data - Key not found -> File not found
    msdaipp -> Reg Data - Key not found -> File not found
    vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 11:01:28 AM | Attr = ]
    < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
    {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab ->
    {166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
    {33363249-0000-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/i263_32.cab ->
    {33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB ->
    {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab ->
    {9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37973.852037037 ->
    {D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->


    [Files - Created Within 60 days]
    ComboFix.txt -> %SystemDrive%\ComboFix.txt -> [Ver = | Size = 5179 bytes | Created Date = 2/14/2007 4:22:04 PM | Attr = ]
    Activescan.txt -> %UserDocuments%\Activescan.txt -> [Ver = | Size = 2580 bytes | Created Date = 2/14/2007 1:49:57 PM | Attr = ]
    BEFORE you POST -Preliminary Steps_ (Start your OWN topic please) - Safer Networking Forums.mht -> %UserDocuments%\BEFORE you POST -Preliminary Steps_ (Start your OWN topic please) - Safer Networking Forums.mht -> [Ver = | Size = 190858 bytes | Created Date = 2/14/2007 1:08:04 PM | Attr = ]
    hijackthis.log -> %UserDocuments%\hijackthis.log -> [Ver = | Size = 7590 bytes | Created Date = 2/14/2007 2:56:57 PM | Attr = ]
    hijackthis2.log -> %UserDocuments%\hijackthis2.log -> [Ver = | Size = 2394 bytes | Created Date = 2/14/2007 5:45:12 PM | Attr = ]
    hijackthis3.log -> %UserDocuments%\hijackthis3.log -> [Ver = | Size = 2819 bytes | Created Date = 2/15/2007 1:40:00 AM | Attr = ]
    KasScan.txt -> %UserDocuments%\KasScan.txt -> [Ver = | Size = 7250 bytes | Created Date = 2/15/2007 1:32:51 AM | Attr = ]
    uninstall_list.txt -> %UserDocuments%\uninstall_list.txt -> [Ver = | Size = 2761 bytes | Created Date = 2/15/2007 1:41:49 AM | Attr = ]
    winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 342421 bytes | Created Date = 2/15/2007 3:39:51 PM | Attr = ]
    SpywareGuard.lnk -> %UserStartup%\SpywareGuard.lnk -> [Ver = | Size = 650 bytes | Created Date = 2/15/2007 2:08:25 AM | Attr = ]
    ntbtlog.txt -> %SystemRoot%\ntbtlog.txt -> [Ver = | Size = 59826 bytes | Created Date = 2/14/2007 2:05:14 PM | Attr = ]
    pavsig.txt -> %SystemRoot%\pavsig.txt -> [Ver = | Size = 32 bytes | Created Date = 2/14/2007 1:09:33 PM | Attr = ]
    setupapi.log -> %SystemRoot%\setupapi.log -> [Ver = | Size = 3524 bytes | Created Date = 2/14/2007 11:47:33 PM | Attr = ]
    asfiles.txt -> %System32%\asfiles.txt -> [Ver = | Size = 0 bytes | Created Date = 2/14/2007 2:44:00 AM | Attr = ]
    asuninst.exe -> %System32%\asuninst.exe -> Panda Software [Ver = 1, 0, 0, 2 | Size = 73728 bytes | Created Date = 2/14/2007 2:01:42 AM | Attr = ]
    Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Created Date = 2/14/2007 1:54:03 AM | Attr = ]
    inetwh32.dll -> %System32%\inetwh32.dll -> Blue Sky Software Corporation. [Ver = 7.00.133 | Size = 49152 bytes | Created Date = 1/8/2007 4:13:32 PM | Attr = R ]
    ksl48.bin -> %System32%\ksl48.bin -> [Ver = | Size = 0 bytes | Created Date = 2/14/2007 1:26:44 AM | Attr = ]
    MSINET.OCX -> %System32%\MSINET.OCX -> Microsoft Corporation [Ver = 6.00.8862 | Size = 115920 bytes | Created Date = 2/14/2007 4:02:33 PM | Attr = ]
    pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Created Date = 2/14/2007 1:53:57 AM | Attr = ]
    roboex32.dll -> %System32%\roboex32.dll -> eHelp Corporation. [Ver = 9.20.534 | Size = 1044480 bytes | Created Date = 1/8/2007 4:13:32 PM | Attr = R ]
    tick48.bin -> %System32%\tick48.bin -> [Ver = | Size = 6 bytes | Created Date = 2/14/2007 1:51:54 AM | Attr = ]
    Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Created Date = 2/14/2007 1:54:04 AM | Attr = ]
    ZPORT4AS.dll -> %System32%\ZPORT4AS.dll -> [Ver = | Size = 11776 bytes | Created Date = 2/14/2007 2:01:42 AM | Attr = ]
    fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 121888 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
    fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 2492 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
    fidbox2.dat -> %System32%\drivers\fidbox2.dat -> [Ver = | Size = 2336 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
    fidbox2.idx -> %System32%\drivers\fidbox2.idx -> [Ver = | Size = 1244 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
    usbsermpt.sys -> %System32%\drivers\usbsermpt.sys -> Microsoft Corporation [Ver = 5.00.2195.6655 | Size = 22768 bytes | Created Date = 1/1/2007 2:50:07 AM | Attr = ]

    [Files - Modified Within 30 days]
    boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 216 bytes | Modified Date = 2/14/2007 2:55:16 AM | Attr = RHS]
    IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 3880492 bytes | Modified Date = 2/15/2007 3:40:14 PM | Attr = H ]
    BEFORE you POST -Preliminary Steps_ (Start your OWN topic please) - Safer Networking Forums.mht -> %UserDocuments%\BEFORE you POST -Preliminary Steps_ (Start your OWN topic please) - Safer Networking Forums.mht -> [Ver = | Size = 190858 bytes | Modified Date = 2/14/2007 1:08:20 PM | Attr = ]
    My Money.mny -> %UserDocuments%\My Money.mny -> [Ver = | Size = 8130560 bytes | Modified Date = 2/14/2007 6:14:26 PM | Attr = ]
    winpfind3u.exe -> %UserDesktop%\winpfind3u.exe -> [Ver = | Size = 342421 bytes | Modified Date = 2/15/2007 3:39:52 PM | Attr = ]
    SpywareGuard.lnk -> %UserStartup%\SpywareGuard.lnk -> [Ver = | Size = 650 bytes | Modified Date = 2/15/2007 2:08:26 AM | Attr = ]
    bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2/15/2007 3:42:36 PM | Attr = S]
    MEMORY.DMP -> %SystemRoot%\MEMORY.DMP -> [Ver = | Size = 0 bytes | Modified Date = 2/15/2007 3:42:30 PM | Attr = ]
    system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 2/14/2007 2:55:16 AM | Attr = ]
    win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 665 bytes | Modified Date = 2/14/2007 2:55:16 AM | Attr = ]
    winamp.ini -> %SystemRoot%\winamp.ini -> [Ver = | Size = 95 bytes | Modified Date = 2/13/2007 1:17:40 AM | Attr = ]
    Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 2/14/2007 1:09:26 PM | Attr = ]
    ksl48.bin -> %System32%\ksl48.bin -> [Ver = | Size = 0 bytes | Modified Date = 2/14/2007 2:04:08 PM | Attr = ]
    pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 2/14/2007 1:09:26 PM | Attr = ]
    tick48.bin -> %System32%\tick48.bin -> [Ver = | Size = 6 bytes | Modified Date = 2/14/2007 1:55:20 PM | Attr = ]
    Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 2/14/2007 1:09:26 PM | Attr = ]
    wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13646 bytes | Modified Date = 2/15/2007 3:42:46 PM | Attr = ]
    fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 121888 bytes | Modified Date = 2/15/2007 3:51:10 PM | Attr = HS]
    fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 2492 bytes | Modified Date = 2/15/2007 3:40:38 PM | Attr = HS]
    fidbox2.dat -> %System32%\drivers\fidbox2.dat -> [Ver = | Size = 2336 bytes | Modified Date = 2/15/2007 3:45:40 PM | Attr = HS]
    fidbox2.idx -> %System32%\drivers\fidbox2.idx -> [Ver = | Size = 1244 bytes | Modified Date = 2/15/2007 3:40:38 PM | Attr = HS]
    klick.sys -> %System32%\drivers\klick.sys -> Kaspersky Lab [Ver = 2.0.0.383 | Size = 74908 bytes | Modified Date = 2/15/2007 3:37:14 PM | Attr = ]
    klin.sys -> %System32%\drivers\klin.sys -> Kaspersky Lab [Ver = 2.0.0.385 | Size = 74396 bytes | Modified Date = 2/15/2007 3:37:14 PM | Attr = ]

    [File String Scan - Non-Microsoft Only]
    File scan skipped for file %UserDocuments%\Compressed Folder.zip -> File size too big (391366552 bytes) ->
    @Alternate Data Stream - 0 bytes -> %UserDocuments%\Thumbs.db:encryptable ->
    PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    PTech , -> %System32%\LegitCheckControl.dll -> Microsoft® Corporation [Ver = 1.3.0254.0 | Size = 520456 bytes | Modified Date = 7/12/2005 5:04:22 PM | Attr = ]
    winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]
    WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 3/31/2003 7:00:00 AM | Attr = ]

    < End of report >
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    just a couple of minor left overs

    they look like they have been disinfected but left as empty files but we will remove them just in case

    WinPFind3 Fix -


    Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Files - Created Within 60 days]
    NY -> ksl48.bin -> %System32%\ksl48.bin
    NY -> tick48.bin -> %System32%\tick48.bin
    
    The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

    when it reboots


    Post the following back here:
    the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

    then I think you should reinstall antivir as it doesn't seem to be running
     
  12. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    [Files - Created Within 60 days]
    File C:\WINDOWS\SYSTEM32\ksl48.bin not found!
    C:\WINDOWS\SYSTEM32\tick48.bin moved successfully.
    < End of log >
    Created on 02/16/2007 17:56:06


    System seems to be running fine, still receiving some incoming and outgoing alerts from firewall, Antivirus (AOL) is running, thanks for all your help, here is the latest hijack log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:09:51 PM, on 2/16/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\AOL\Active Virus Shield\avp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Easy Keyboard NT\Easykey.exe
    C:\Program Files\AOL\Active Virus Shield\avp.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijackthis\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:MyHomePage
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\WINDOWS\System32\BhoSSafe.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard NT\Easykey.exe
    O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{33D6F203-9875-4527-B417-A45F72072A58}: NameServer = 69.72.64.2 69.72.0.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{33D6F203-9875-4527-B417-A45F72072A58}: NameServer = 69.72.64.2 69.72.0.2
    O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    download gmer rootkit detector from http://gmer.net

    unzip it & double click the gmer.exe file

    select rootkit tab & press scan

    when it has finished press copy & post back the log it makes

    also select the autostarts tab & do the same there
     
  14. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    GMER 1.0.12.12027 - http://www.gmer.net
    Rootkit scan 2007-02-17 16:44:00
    Windows 5.1.2600 Service Pack 1


    ---- System - GMER 1.0.12 ----

    SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwClose
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcess
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcessEx
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSection
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSymbolicLinkObject
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateThread
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteValueKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDuplicateObject
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateValueKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwFlushKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwInitializeRegistry
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey2
    SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwNotifyChangeKey
    SSDT kl1.sys ZwOpenFile
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenKey
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenSection
    SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryMultipleValueKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQuerySystemInformation
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryValueKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwReplaceKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwRestoreKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwResumeThread
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSaveKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetContextThread
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationFile
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationProcess
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetSecurityObject
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetValueKey
    SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSuspendThread
    SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwUnloadKey
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwWriteVirtualMemory
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[284]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[285]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[286]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[287]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[288]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[289]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[290]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[291]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[292]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[293]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[294]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[295]
    SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[296]

    ---- Kernel code sections - GMER 1.0.12 ----

    .text ntoskrnl.exe!KiDispatchInterrupt + BA 804D7CB6 7 Bytes JMP F8CEB120 \??\C:\WINDOWS\System32\drivers\klif.sys
    .text tcpip.sys!IPTransmit + 887 F8D2D341 6 Bytes CALL F9A8BCE0 Teefer.sys
    .text tcpip.sys!IPTransmit + 904A F8D35B04 6 Bytes CALL F9A8BCE0 Teefer.sys
    .text tcpip.sys!IPSetIPSecStatus + 1142 F8D42DA8 6 Bytes CALL F9A8BCE0 Teefer.sys
    .text wanarp.sys F9E070C1 4 Bytes CALL F9A8BE30 Teefer.sys
    .text wanarp.sys F9E070C6 2 Bytes [ 90, 90 ]
    .text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 7203407A
    .text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034205
    .text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 720340E9
    .text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72034098

    ---- Devices - GMER 1.0.12 ----

    Device \Driver\kl1 \Device\klick IRP_MJ_CREATE [F9DF3220] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klick IRP_MJ_CLOSE [F9DF3480] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klick IRP_MJ_DEVICE_CONTROL [F9DF35A0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klick IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DF35D0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\kl1 IRP_MJ_CREATE [F9DF3220] wpsdrvnt.sys
    Device \Driver\kl1 \Device\kl1 IRP_MJ_CLOSE [F9DF3480] wpsdrvnt.sys
    Device \Driver\kl1 \Device\kl1 IRP_MJ_DEVICE_CONTROL [F9DF35A0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\kl1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DF35D0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\KLCR IRP_MJ_CREATE [F9DF3220] wpsdrvnt.sys
    Device \Driver\kl1 \Device\KLCR IRP_MJ_CLOSE [F9DF3480] wpsdrvnt.sys
    Device \Driver\kl1 \Device\KLCR IRP_MJ_DEVICE_CONTROL [F9DF35A0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\KLCR IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DF35D0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klop IRP_MJ_CREATE [F9DF3220] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klop IRP_MJ_CLOSE [F9DF3480] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klop IRP_MJ_DEVICE_CONTROL [F9DF35A0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klop IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DF35D0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klin IRP_MJ_CREATE [F9DF3220] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klin IRP_MJ_CLOSE [F9DF3480] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klin IRP_MJ_DEVICE_CONTROL [F9DF35A0] wpsdrvnt.sys
    Device \Driver\kl1 \Device\klin IRP_MJ_INTERNAL_DEVICE_CONTROL [F9DF35D0] wpsdrvnt.sys

    ---- Threads - GMER 1.0.12 ----

    Thread 4:112 8264B3E0
    Thread 4:116 8264B3E0
    Thread 4:120 82623820
    Thread 4:124 82623820
    Thread 4:128 82623820
    Thread 4:284 8264B3E0

    ---- EOF - GMER 1.0.12 ----

    GMER 1.0.12.12027 - http://www.gmer.net
    Autostart scan 2007-02-17 16:44:30
    Windows 5.1.2600 Service Pack 1


    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected] = C:\WINDOWS\system32\userinit.exe,

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
    [email protected] = C:\WINDOWS\System32\klogon.dll
    [email protected] = wzcdlg.dll

    HKLM\SYSTEM\CurrentControlSet\Services\ >>>
    AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    AVP /*Active Virus Shield*/@ = "C:\Program Files\AOL\Active Virus Shield\avp.exe" -r
    [email protected] = %SystemRoot%\system32\drivers\scsiport.sys
    SmcService /*Sygate Personal Firewall*/@ = C:\Program Files\Sygate\SPF\smc.exe
    Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
    @SmcServiceC:\PROGRA~1\Sygate\SPF\smc.exe -startgui = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    @EasykeyC:\Program Files\Easy Keyboard NT\Easykey.exe = C:\Program Files\Easy Keyboard NT\Easykey.exe
    @aol"C:\Program Files\AOL\Active Virus Shield\avp.exe" = "C:\Program Files\AOL\Active Virus Shield\avp.exe"

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
    @{81559C35-8464-49F7-BB0E-07A383BEF910}C:\Program Files\SpywareGuard\spywareguard.dll = C:\Program Files\SpywareGuard\spywareguard.dll
    @{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
    @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
    @{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/(null) =
    @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/(null) =
    @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/(null) =
    @{ED65AB21-B24F-11d3-BA80-00C0CA16AA37} /*Mobile*/C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll = C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll
    @{ED65AB22-B24F-11d3-BA80-00C0CA16AA37} /*Mobile ContextMenuHandler*/C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll = C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll
    @{ED65AB23-B24F-11d3-BA80-00C0CA16AA37} /*Mobile PropertySheetHandler*/C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll = C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll
    @{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
    @{81559C35-8464-49F7-BB0E-07A383BEF910} /**/C:\Program Files\SpywareGuard\spywareguard.dll = C:\Program Files\SpywareGuard\spywareguard.dll

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
    AVG [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
    Kaspersky [email protected]{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\AOL\Active Virus Shield\shellex.dll

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
    [email protected]{6646F704-1528-4B5C-BAB7-176FA4B5F80A}} =
    AVG [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky [email protected]{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\AOL\Active Virus Shield\shellex.dll

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
    @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    @{206E52E0-D52E-11D4-AD54-0000E86C26F6}C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll = C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
    @{243B17DE-77C7-46BF-B94B-0B5F309A0E64}C:\Program Files\Microsoft Money\System\mnyside.dll = C:\Program Files\Microsoft Money\System\mnyside.dll
    @{333F6B96-3992-4D58-A499-145A10FE48C3}C:\WINDOWS\System32\BhoSSafe.dll = C:\WINDOWS\System32\BhoSSafe.dll
    @{4A368E80-174F-4872-96B5-0B27DDD11DB2}C:\Program Files\SpywareGuard\dlprotect.dll = C:\Program Files\SpywareGuard\dlprotect.dll

    HKLM\Software\Microsoft\Internet Explorer\Main >>>
    @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    @Start Pageabout:blank = about:blank
    @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

    HKCU\Software\Microsoft\Internet Explorer\Main >>>
    @Start Pageabout:MyHomePage = about:MyHomePage
    @Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

    HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
    [email protected] = C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    [email protected] = C:\WINDOWS\system32\msvidctl.dll
    [email protected] = C:\WINDOWS\System32\itss.dll
    [email protected] = %SystemRoot%\System32\inetcomm.dll
    [email protected] = C:\WINDOWS\System32\itss.dll
    [email protected] = C:\WINDOWS\system32\msvidctl.dll
    [email protected] = C:\WINDOWS\system32\msdxm.ocx

    HKLM\Software\Classes\PROTOCOLS\Handler\[email protected] = C:\WINDOWS\System32\wiascr.dll

    C:\Documents and Settings\a\Start Menu\Programs\Startup >>>
    Memento.lnk = Memento.lnk
    SpywareGuard.lnk = SpywareGuard.lnk

    ---- EOF - GMER 1.0.12 ----
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    nothing showing in gmer, what firewall alerts are you getting ?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/544109

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice