1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Idiot (Me) Installed Norton 2005 Now have problems

Discussion in 'Virus & Other Malware Removal' started by XPBri, Jan 23, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    First off, I'm an idiot.
    That clearly stated here is my problem:
    I am running windows 2000 Pro, I had been using Spybot, Ad-aware, Zone Alarm Pro, and AVG for virus protection. I had a brilliant idea to switch to Norton Anti-Virus 2005 (n) When installing Norton- it made me delete AVG, this was when my problems began, I tried to play an online game- BF1942, I kept getting kicked for inadaquete O/S Privelages. Well after some searches I found I was infected by VX2 (i think). So I figured Norton would fix the mess it created, it opened the quarentine list that AVG had created, and sent all the little devils contained within it throughout my machine. Norton cannot delete the problem files, and upon manual deletion they come back after a reboot. I paid Norton $29.00 for a product support call with no resolution :eek: If you can please take a moment to help me it would be greatly appreciated, and a donation will be headed your way :)
    Thanks,
    Brian


    Note: I noticed that HJT was outdated so I ran this log with the latest version


    Logfile of HijackThis v1.99.0
    Scan saved at 6:43:34 PM, on 1/23/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\system32\ntsmod.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINNT\explorer.exe
    C:\WINNT\system32\wrrogi.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Home\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snkypete.com/forum
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe Ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ntsmod] C:\WINNT\system32\ntsmod.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfmt32.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvtr.exe
    O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe






    Wonderful Norton 2005 scan results:
    coozqy.dll Adware.QoolAid
    dCdref.dll Adware.Look2Me
    pbbyka.dat Adware.QoolAid
     
  2. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    Here are a couple more logs, I'll add the spy bot log when it completes ;)
    Also I have spyblaster installed on the machine.
    Thanks Again,
    Brian

    Log for VX2.BetterInternet File Finder (msg126)

    Files Found---

    Additional Files---

    Keys Under Notify---AtiExtEvent
    Keys Under Notify---ATINotify
    Keys Under Notify---Control Panel
    Keys Under Notify---crypt32chain
    Keys Under Notify---cryptnet
    Keys Under Notify---cscdll
    Keys Under Notify---sclgntfy
    Keys Under Notify---SensLogn
    Keys Under Notify---wzcnotif


    Guardian Key--- is called:

    User Agent String---
    {7591635B-8C5A-41E2-BAD5-836F54786397}


    Hosts Log:
    127.0.0.1 www.igetnet.com
    127.0.0.1 code.ignphrases.com
    127.0.0.1 clear-search.com
    127.0.0.1 r1.clrsch.com
    127.0.0.1 sds.clrsch.com
    127.0.0.1 status.clrsch.com
    127.0.0.1 www.clrsch.com
    127.0.0.1 clr-sch.com
    127.0.0.1 sds-qckads.com
    127.0.0.1 status.qckads.com
    69.20.16.183 auto.search.msn.com
    69.20.16.183 search.netscape.com
    69.20.16.183 ieautosearch
    69.20.16.183 ieautosearch
     
  3. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    Spybot log
    Elitum.EliteBar: Settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1547161642-1275210071-839522115-1000\Software\LQ

    Common hijacker: Redirected host (Redirected host, nothing done)


    Common hijacker: Redirected host (Redirected host, nothing done)


    CoolWWWSearch.Bootconf: Redirected host (Redirected host, nothing done)


    CoolWWWSearch.Loadbat: Redirected host (Redirected host, nothing done)


    CoolWWWSearch.Msconfd: Redirected host (Redirected host, nothing done)


    CoolWWWSearch.Oslogo: Redirected host (Redirected host, nothing done)


    CoolWWWSearch.Tapicfg: Redirected host (Redirected host, nothing done)


    CoolWWWSearch.Xmlmimefilter: Redirected host (Redirected host, nothing done)


    IGetNet: Redirected host (Redirected host, nothing done)



    --- Spybot - Search && Destroy version: 1.3 ---
    2004-11-29 Includes\Cookies.sbi
    2005-01-04 Includes\Dialer.sbi
    2005-01-04 Includes\Hijackers.sbi
    2004-12-29 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2005-01-04 Includes\Malware.sbi
    2004-11-29 Includes\Revision.sbi
    2004-11-29 Includes\Security.sbi
    2005-01-05 Includes\Spybots.sbi
    2004-11-29 Includes\Tracks.uti
    2005-01-04 Includes\Trojans.sbi
     
  4. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    Finally here is my Ad-aware SE log- note that it deletes most of the errors found- but when the machine reboots there are even more found :(


    Ad-Aware SE Build 1.05
    Logfile Created on:Sunday, January 23, 2005 5:20:55 PM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R25 11.01.2005
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    CoolWebSearch(TAC index:10):4 total references
    Ebates MoneyMaker(TAC index:4):1 total references
    Elitum.ElitebarBHO(TAC index:5):42 total references
    MRU List(TAC index:0):43 total references
    Redirected hostfile entry(TAC index:4):5 total references
    Search Miracle(TAC index:5):3 total references
    VX2(TAC index:10):6 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for negligible risk entries
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    1-23-2005 5:20:55 PM - Scan started. (Full System Scan)

    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\nico mak computing\winzip\filemenu
    Description : winzip recently used archives


    MRU List Object Recognized!
    Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
    Description : information on the last station listened to using musicmatch radio


    MRU List Object Recognized!
    Location: : software\musicmatch\musicmatch jukebox\4.0\fileconv
    Description : file conversion location settings in musicmatch jukebox


    MRU List Object Recognized!
    Location: : software\musicmatch
    Description : download location of the musicmatch installer


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\runmru
    Description : mru list for items opened in start | run


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\recentdocs
    Description : list of recent documents opened


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description : list of recently saved files, stored according to file extension


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description : list of recent programs opened


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\applets\wordpad\recent file list
    Description : list of recent files opened using wordpad


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\applets\regedit
    Description : last key accessed using the microsoft registry editor


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows\currentversion\applets\paint\recent file list
    Description : list of files recently opened using microsoft paint


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\office\9.0\excel\recent files
    Description : list of recent files used by microsoft excel


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
    Description : list of recent documents saved by microsoft word


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
    Description : list of recent documents opened by microsoft word


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\microsoft management console\recent file list
    Description : list of recent snap-ins used in the microsoft management console


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\preferences
    Description : last playlist index loaded in microsoft windows media player


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\preferences
    Description : last playlist loaded in microsoft windows media player


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\preferences
    Description : last search path used in microsoft windows media player


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\player\settings
    Description : last save as directory used in jasc paint shop pro


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\player\settings
    Description : last open directory used in jasc paint shop pro


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\player\recentfilelist
    Description : list of recently used files in microsoft windows media player


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\mediaplayer\medialibraryui
    Description : last selected node in the microsoft windows media player media library


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\internet explorer\typedurls
    Description : list of recently entered addresses in microsoft internet explorer


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\internet explorer
    Description : last download directory used in microsoft internet explorer


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\navigation\mrulist
    Description : list for the navigation feature of microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recently created servers
    Description : list of recently created servers in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recent web list
    Description : list of recently used webs in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recent page list
    Description : list of recently used pages in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\explorer\frontpage explorer\recent file list
    Description : list of recently used files in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\editor\per-web image save directories
    Description : list of image save directories per web in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage\editor\insert image\recently used urls
    Description : list of recently used urls in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\frontpage
    Description : default save location in microsoft frontpage


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\directinput\mostrecentapplication
    Description : most recent application to use microsoft directinput


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\directinput\mostrecentapplication
    Description : most recent application to use microsoft directinput


    MRU List Object Recognized!
    Location: : software\microsoft\directdraw\mostrecentapplication
    Description : most recent application to use microsoft directdraw


    MRU List Object Recognized!
    Location: : software\microsoft\direct3d\mostrecentapplication
    Description : most recent application to use microsoft direct3d


    MRU List Object Recognized!
    Location: : software\microsoft\direct3d\mostrecentapplication
    Description : most recent application to use microsoft direct X


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\ahead\cover designer\recent file list
    Description : list of recently used files in ahead cover designer


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
    Description : list of recently used files in adobe reader


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\winrar\dialogedithistory\extrpath
    Description : winrar "extract-to" history


    MRU List Object Recognized!
    Location: : S-1-5-21-1547161642-1275210071-839522115-1000\software\microsoft\windows media\wmsdk\general
    Description : windows media sdk


    MRU List Object Recognized!
    Location: : C:\Documents and Settings\Home\recent
    Description : list of recently opened documents


    MRU List Object Recognized!
    Location: : C:\Documents and Settings\Home\Application Data\microsoft\office\recent
    Description : list of recently opened documents using microsoft office


    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 168
    ThreadCreationTime : 1-23-2005 10:15:27 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ProcessID : 188
    ThreadCreationTime : 1-23-2005 10:15:44 PM
    BasePriority : High


    VX2 Object Recognized!
    Type : Process
    Data : k4260efseh260.dll
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINNT\system32\


    Warning! VX2 Object found in memory(C:\WINNT\system32\k4260efseh260.dll)


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 240
    ThreadCreationTime : 1-23-2005 10:15:45 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6700
    ProductVersion : 5.00.2195.6700
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : services.exe

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 252
    ThreadCreationTime : 1-23-2005 10:15:45 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6902
    ProductVersion : 5.00.2195.6902
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Executable and Server DLL (Export Version)
    InternalName : lsasrv.dll and lsass.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : lsasrv.dll and lsass.exe

    #:5 [ati2evxx.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 372
    ThreadCreationTime : 1-23-2005 10:15:48 PM
    BasePriority : Normal


    #:6 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 452
    ThreadCreationTime : 1-23-2005 10:15:49 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : svchost.exe

    #:7 [sndsrvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 464
    ThreadCreationTime : 1-23-2005 10:15:49 PM
    BasePriority : Normal
    FileVersion : 5.4.3.11
    ProductVersion : 5.4
    ProductName : Symantec Security Drivers
    CompanyName : Symantec Corporation
    FileDescription : Network Driver Service
    InternalName : SndSrvc
    LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
    OriginalFilename : SndSrvc.exe

    #:8 [ccsetmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 500
    ThreadCreationTime : 1-23-2005 10:15:49 PM
    BasePriority : Normal
    FileVersion : 103.0.3.8
    ProductVersion : 103.0.3.8
    ProductName : Client and Host Security Platform
    CompanyName : Symantec Corporation
    FileDescription : Symantec Settings Manager Service
    InternalName : ccSetMgr
    LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
    OriginalFilename : ccSetMgr.exe

    #:9 [spbbcsvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
    ProcessID : 524
    ThreadCreationTime : 1-23-2005 10:15:50 PM
    BasePriority : Normal
    FileVersion : 1,0,1,47
    ProductVersion : 1,0,1,47
    ProductName : SPBBC
    CompanyName : Symantec Corporation
    FileDescription : SPBBC Service
    InternalName : SPBBCSvc
    LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
    OriginalFilename : SPBBCSvc.exe

    #:10 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 588
    ThreadCreationTime : 1-23-2005 10:15:53 PM
    BasePriority : Normal
    FileVersion : 103.0.3.8
    ProductVersion : 103.0.3.8
    ProductName : Client and Host Security Platform
    CompanyName : Symantec Corporation
    FileDescription : Symantec Event Manager Service
    InternalName : ccEvtMgr
    LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
    OriginalFilename : ccEvtMgr.exe

    #:11 [spoolsv.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 708
    ThreadCreationTime : 1-23-2005 10:15:54 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6659
    ProductVersion : 5.00.2195.6659
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolss.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : spoolss.exe

    #:12 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ProcessID : 752
    ThreadCreationTime : 1-23-2005 10:15:55 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : svchost.exe

    #:13 [hidserv.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 768
    ThreadCreationTime : 1-23-2005 10:15:56 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6655
    ProductVersion : 5.00.2195.6655
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : HID Audio Service
    InternalName : hidserv
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : HIDSERV.EXE

    #:14 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ProcessID : 808
    ThreadCreationTime : 1-23-2005 10:15:57 PM
    BasePriority : Normal
    FileVersion : 11.0.2.4
    ProductVersion : 11.0.2
    ProductName : Norton AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
    OriginalFilename : NAVAPSVC.EXE

    #:15 [npfmntor.exe]
    FilePath : C:\Program Files\Norton AntiVirus\IWP\
    ProcessID : 820
    ThreadCreationTime : 1-23-2005 10:15:58 PM
    BasePriority : Normal
    FileVersion : 11.0.2.4
    ProductVersion : 11.0.2
    ProductName : Norton AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Firewall Install Monitor
    InternalName : NPFMonitor
    LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
    OriginalFilename : NPFMonitor.EXE

    #:16 [regsvc.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 880
    ThreadCreationTime : 1-23-2005 10:15:58 PM
    BasePriority : Normal
    FileVersion : 5.00.2195.6701
    ProductVersion : 5.00.2195.6701
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Remote Registry Service
    InternalName : regsvc
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : REGSVC.EXE

    #:17 [mstask.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 932
    ThreadCreationTime : 1-23-2005 10:15:59 PM
    BasePriority : Normal
    FileVersion : 4.71.2195.6920
    ProductVersion : 4.71.2195.6920
    ProductName : Microsoft® Windows® Task Scheduler
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    LegalCopyright : Copyright (C) Microsoft Corp. 1997
    OriginalFilename : mstask.exe

    #:18 [smagent.exe]
    FilePath : C:\Program Files\Analog Devices\SoundMAX\
    ProcessID : 1008
    ThreadCreationTime : 1-23-2005 10:16:03 PM
    BasePriority : Normal
    FileVersion : 3, 2, 6, 0
    ProductVersion : 3, 2, 6, 0
    ProductName : SoundMAX service agent
    CompanyName : Analog Devices, Inc.
    FileDescription : SoundMAX service agent component
    InternalName : SMAgent
    LegalCopyright : Copyright © 2002
    OriginalFilename : SMAgent.exe

    #:19 [symlcsvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
    ProcessID : 1040
    ThreadCreationTime : 1-23-2005 10:16:04 PM
    BasePriority : Normal
    FileVersion : 1, 8, 54, 478
    ProductVersion : 1, 8, 54, 478
    ProductName : Symantec Core Component
    CompanyName : Symantec Corporation
    FileDescription : Symantec Core Component
    InternalName : symlcsvc
    LegalCopyright : Copyright (C) 2003
    OriginalFilename : symlcsvc.exe

    #:20 [vsmon.exe]
    FilePath : C:\WINNT\system32\ZoneLabs\
    ProcessID : 1068
    ThreadCreationTime : 1-23-2005 10:16:06 PM
    BasePriority : Normal
    FileVersion : 4.0.146.029
    ProductVersion : 4.0.146.029
    ProductName : TrueVector Service
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
    OriginalFilename : vsmon.exe

    #:21 [winmgmt.exe]
    FilePath : C:\WINNT\System32\WBEM\
    ProcessID : 620
    ThreadCreationTime : 1-23-2005 10:16:30 PM
    BasePriority : Normal
    FileVersion : 1.50.1085.0100
    ProductVersion : 1.50.1085.0100
    ProductName : Windows Management Instrumentation
    CompanyName : Microsoft Corporation
    FileDescription : Windows Management Instrumentation
    InternalName : WINMGMT
    LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

    #:22 [mspmspsv.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 1228
    ThreadCreationTime : 1-23-2005 10:16:31 PM
    BasePriority : Normal
    FileVersion : 7.01.00.3055
    ProductVersion : 7.01.00.3055
    ProductName : Microsoft (R) DRM
    CompanyName : Microsoft Corporation
    FileDescription : WMDM PMSP Service
    InternalName : MSPMSPSV.EXE
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
    OriginalFilename : MSPMSPSV.EXE

    #:23 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 1240
    ThreadCreationTime : 1-23-2005 10:16:31 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : svchost.exe

    #:24 [ati2evxx.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 1108
    ThreadCreationTime : 1-23-2005 10:16:38 PM
    BasePriority : Normal


    CoolWebSearch Object Recognized!
    Type : Process
    Data : ebbuno.dll
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINNT\system32\


    Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\ebbuno.dll)


    #:25 [explorer.exe]
    FilePath : C:\WINNT\
    ProcessID : 1348
    ThreadCreationTime : 1-23-2005 10:16:38 PM
    BasePriority : Normal
    FileVersion : 5.00.3700.6690
    ProductVersion : 5.00.3700.6690
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : EXPLORER.EXE

    VX2 Object Recognized!
    Type : Process
    Data : MVVBVM60.DLL
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINNT\system32\


    Warning! VX2 Object found in memory(C:\WINNT\system32\MVVBVM60.DLL)


    CoolWebSearch Object Recognized!
    Type : Process
    Data : ebbuno.dll
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINNT\system32\


    Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\ebbuno.dll)


    #:26 [smax4pnp.exe]
    FilePath : C:\Program Files\Analog Devices\SoundMAX\
    ProcessID : 1628
    ThreadCreationTime : 1-23-2005 10:17:04 PM
    BasePriority : Normal
    FileVersion : 4, 0, 4, 1
    ProductVersion : 4, 0, 4, 1
    ProductName : SMax4PNP Application
    CompanyName : Analog Devices, Inc.
    FileDescription : SMax4PNP MFC Application
    InternalName : SMax4PNP
    LegalCopyright : Copyright (C) 2002-2003 Analog Devices
    OriginalFilename : SMax4PNP.EXE

    #:27 [smax4.exe]
    FilePath : C:\Program Files\Analog Devices\SoundMAX\
    ProcessID : 1632
    ThreadCreationTime : 1-23-2005 10:17:05 PM
    BasePriority : Normal
    FileVersion : 4, 0, 4, 22
    ProductVersion : 4, 0, 4, 22
    ProductName : SoundMAX Control Panel
    CompanyName : Analog Devices, Inc.
    FileDescription : SoundMAX Control Center
    InternalName : SMax4
    LegalCopyright : Copyright © 2002-2003, Analog Devices
    OriginalFilename : SMax4.EXE

    #:28 [qttask.exe]
    FilePath : C:\Program Files\QuickTime\
    ProcessID : 1652
    ThreadCreationTime : 1-23-2005 10:17:07 PM
    BasePriority : Normal
    FileVersion : 6.0.2
    ProductVersion : QuickTime 6.0.2
    ProductName : QuickTime
    CompanyName : Apple Computer, Inc.
    InternalName : QuickTime Task
    LegalCopyright : © Apple Computer, Inc. 2001-2002
    OriginalFilename : QTTask.exe
     
  5. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    #:29 [zapro.exe]
    FilePath : C:\PROGRA~1\ZONELA~1\ZONEAL~1\
    ProcessID : 1668
    ThreadCreationTime : 1-23-2005 10:17:08 PM
    BasePriority : Normal
    FileVersion : 4.0.146.029
    ProductVersion : 4.0.146.029
    ProductName : ZoneAlarm Pro
    CompanyName : Zone Labs Inc.
    FileDescription : ZoneAlarm Pro
    InternalName : zapro
    LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
    OriginalFilename : zapro.exe

    #:30 [sgtray.exe]
    FilePath : C:\Program Files\Common Files\Sonic\Update Manager\
    ProcessID : 1704
    ThreadCreationTime : 1-23-2005 10:17:11 PM
    BasePriority : Normal
    FileVersion : 1.01.32a
    CompanyName : Sonic Solutions
    FileDescription : Sonic Update Manager
    LegalCopyright : Copyright © 2002 Sonic Solutions

    #:31 [cli.exe]
    FilePath : C:\Program Files\ATI Technologies\ATI.ACE\
    ProcessID : 1736
    ThreadCreationTime : 1-23-2005 10:17:12 PM
    BasePriority : Normal


    #:32 [jusched.exe]
    FilePath : C:\Program Files\Java\j2re1.4.2_05\bin\
    ProcessID : 1744
    ThreadCreationTime : 1-23-2005 10:17:12 PM
    BasePriority : Normal


    #:33 [itouch.exe]
    FilePath : C:\Program Files\Logitech\iTouch\
    ProcessID : 1780
    ThreadCreationTime : 1-23-2005 10:17:16 PM
    BasePriority : Normal
    FileVersion : 2.20.243
    ProductVersion : 2.20.243
    ProductName : iTouch
    CompanyName : Logitech Inc.
    FileDescription : iTouch Application
    InternalName : iTouch
    LegalCopyright : (C) 1998-2003 Logitech. All rights reserved.
    LegalTrademarks : Logitech® and iTouch® are registered trademarks of Logitech Inc.
    OriginalFilename : iTouch.exe
    Comments : Created by the iTouch team

    #:34 [ntsmod.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 1804
    ThreadCreationTime : 1-23-2005 10:17:17 PM
    BasePriority : Normal
    FileVersion : 5.01.2600
    ProductVersion : 5.01.2600
    ProductName : ntsmod
    FileDescription : NT System Module
    InternalName : ntsmod
    LegalCopyright : Copyright (c) 2003
    OriginalFilename : ntsmod.exe
    Comments : NT System Module

    #:35 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ProcessID : 1836
    ThreadCreationTime : 1-23-2005 10:17:17 PM
    BasePriority : Normal
    FileVersion : 103.0.3.8
    ProductVersion : 103.0.3.8
    ProductName : Client and Host Security Platform
    CompanyName : Symantec Corporation
    FileDescription : Symantec User Session
    InternalName : ccApp
    LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
    OriginalFilename : ccApp.exe

    #:36 [em_exec.exe]
    FilePath : C:\Program Files\Logitech\MouseWare\system\
    ProcessID : 1856
    ThreadCreationTime : 1-23-2005 10:17:18 PM
    BasePriority : Normal
    FileVersion : 9.79.019
    ProductVersion : 9.79.019
    ProductName : MouseWare
    CompanyName : Logitech Inc.
    FileDescription : Logitech Events Handler Application
    InternalName : Em_Exec
    LegalCopyright : (C) 1987-2003 Logitech. All rights reserved.
    LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
    OriginalFilename : Em_Exec.exe
    Comments : Created by the MouseWare team

    #:37 [usrprmpt.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\Security Center\
    ProcessID : 1820
    ThreadCreationTime : 1-23-2005 10:17:20 PM
    BasePriority : Normal
    FileVersion : 2005.1.2.20
    ProductVersion : 2005.1
    ProductName : Norton Security Center
    CompanyName : Symantec Corporation
    FileDescription : Norton Security Center Helper
    InternalName : UsrPrmpt.dll
    LegalCopyright : Copyright (c) 1997-2004 Symantec Corporation
    OriginalFilename : UsrPrmpt.dll

    #:38 [quickdcf.exe]
    FilePath : C:\Program Files\FinePixViewer\
    ProcessID : 1988
    ThreadCreationTime : 1-23-2005 10:17:27 PM
    BasePriority : Normal
    FileVersion : 2, 0, 0, 3
    ProductVersion : 2, 0, 0, 3
    ProductName : FinePixViewer
    CompanyName : FUJI PHOTO FILM CO., LTD.
    FileDescription : Exif Launcher
    InternalName : QuickDCF
    LegalCopyright : Copyright 2000-2001 FUJI PHOTO FILM CO.,LTD.
    OriginalFilename : QuickDCF.exe

    #:39 [httpiu.exe]
    FilePath : C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    ProcessID : 2000
    ThreadCreationTime : 1-23-2005 10:17:28 PM
    BasePriority : Normal


    VX2 Object Recognized!
    Type : Process
    Data : httpiu.exe
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Warning! VX2 Object found in memory(C:\Documents and Settings\All Users\Start Menu\Programs\Startup\httpiu.exe)

    Warning! "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\httpiu.exe"Process could not be terminated!
    "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\httpiu.exe"Process terminated successfully

    #:40 [rundll32.exe]
    FilePath : C:\WINNT\system32\
    ProcessID : 1600
    ThreadCreationTime : 1-23-2005 10:18:30 PM
    BasePriority : Normal
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Run a DLL as an App
    InternalName : rundll
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
    OriginalFilename : RUNDLL.EXE

    VX2 Object Recognized!
    Type : Process
    Data : guard.tmp
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINNT\system32\


    Warning! VX2 Object found in memory(C:\WINNT\system32\guard.tmp)

    Warning! "C:\WINNT\system32\rundll32.exe"Process could not be terminated!

    #:41 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID : 488
    ThreadCreationTime : 1-23-2005 10:20:40 PM
    BasePriority : Normal
    FileVersion : 6.2.0.206
    ProductVersion : VI.Second Edition
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 49


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Elitum.ElitebarBHO Object Recognized!
    Type : Regkey
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : AccountNumber

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : uninstalled

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : _show

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : FirstTimeStarted

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : SearchIndex

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : AutoComplete

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : ac1

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : adult.tbr

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : popupblocker

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : default.tbr

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : search.mnu

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : version

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : path

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : UpdateDate

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : guid

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : searchkeys

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : errorreport

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : excluded

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : keywords

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : axparam

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : city

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : state

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : country

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum\elitetoolbar
    Value : Activated

    Ebates MoneyMaker Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment : "AC"
    Rootkey : HKEY_USERS
    Object : S-1-5-21-1547161642-1275210071-839522115-1000\software\lq
    Value : AC

    Search Miracle Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment : "kalvsys"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\run
    Value : kalvsys

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 27
    Objects found so far: 76


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 76


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 76



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 76


    Deep scanning and examining files (G:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for G:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 76


    Scanning Hosts file......
    Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Warning!
    Bad Hosts file entry:69.20.16.183:search.netscape.com


    Redirected hostfile entry Object Recognized!
    Type : Hosts file
    Data : 69.20.16.183
    Category : Misc
    Comment : Possible CoolWebSearch Hijack
    Bad Hostfile entry : 69.20.16.183:search.netscape.com
    Warning!
    Bad Hosts file entry:69.20.16.183:ieautosearch


    Redirected hostfile entry Object Recognized!
    Type : Hosts file
    Data : 69.20.16.183
    Category : Misc
    Comment : Possible CoolWebSearch Hijack
    Bad Hostfile entry : 69.20.16.183:ieautosearch
    Warning!
    Bad Hosts file entry:69.20.16.183:ieautosearch


    Redirected hostfile entry Object Recognized!
    Type : Hosts file
    Data : 69.20.16.183
    Category : Misc
    Comment : Possible CoolWebSearch Hijack
    Bad Hostfile entry : 69.20.16.183:ieautosearch
    Warning!
    Bad Hosts file entry:69.20.16.183:auto.search.msn.com


    Redirected hostfile entry Object Recognized!
    Type : Hosts file
    Data : 69.20.16.183
    Category : Misc
    Comment : Possible CoolWebSearch Hijack
    Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
    Warning!
    Bad Hosts file entry:69.20.16.183:ieautosearch


    Redirected hostfile entry Object Recognized!
    Type : Hosts file
    Data : 69.20.16.183
    Category : Misc
    Comment : Possible CoolWebSearch Hijack
    Bad Hostfile entry : 69.20.16.183:ieautosearch

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    15 entries scanned.
    New critical objects:5
    Objects found so far: 81




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    VX2 Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\toolbar\webbrowser
    Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

    VX2 Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\run
    Value : Narrator

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Use Custom Search URL

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : Search Bar

    Elitum.ElitebarBHO Object Recognized!
    Type : Regkey
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : TM

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : AT

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : AC

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : U

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : AD

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : I

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : AM

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : TR

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : country

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : city

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : state

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : RX

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : RX2.8

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : RX2.9

    Elitum.ElitebarBHO Object Recognized!
    Type : RegValue
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\lq
    Value : RX3.0

    Elitum.ElitebarBHO Object Recognized!
    Type : Regkey
    Data :
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\elitum

    Search Miracle Object Recognized!
    Type : File
    Data : tmp1.tmp
    Category : Malware
    Comment :
    Object : C:\DOCUME~1\Home\LOCALS~1\Temp\



    Search Miracle Object Recognized!
    Type : File
    Data : tmp75.tmp
    Category : Malware
    Comment :
    Object : C:\DOCUME~1\Home\LOCALS~1\Temp\



    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 23
    Objects found so far: 104

    5:31:00 PM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:10:04.313
    Objects scanned:119179
    Objects identified:56
    Objects ignored:0
    New critical objects:56
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,236
    Hi and welcome to TSG,

    Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

    Save the file to your desktop and double click l2mfix.exe. Read and accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
     
  7. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    Here is the log- and thank you for helping =)
    Brian




    L2MFIX find log 1.02
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
    "Asynchronous"=dword:00000000
    "DllName"="logonnfy.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventConsoleLock"
    "Unlock"="WLEventConsoleUnLock"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\o484lelq1hqe.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{7591635B-8C5A-41E2-BAD5-836F54786397}"=""

    **********************************************************************************
    Shell Extension key:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
    "{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
    "{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
    "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
    "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
    "{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
    "{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
    "{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
    "{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
    "{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
    "{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
    "{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
    "{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
    "{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
    "{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
    "{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
    "{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
    "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
    "{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
    "{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
    "{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
    "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
    "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
    "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
    "{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
    "{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
    "{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
    "{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
    "{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
    "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
    "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
    "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
    "{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
    "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
    "{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
    "{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
    "{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
    "{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
    "{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
    "{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
    "{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
    "{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
    "{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
    "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
    "{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
    "{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
    "{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
    "{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
    "{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
    "{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
    "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
    "{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
    "{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
    "{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
    "{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
    "{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
    "{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
    "{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
    "{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
    "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
    "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
    "{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
    "{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
    "{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
    "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
    "{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
    "{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
    "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
    "{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
    "{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
    "{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
    "{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
    "{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
    "{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
    "{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
    "{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
    "{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
    "{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
    "{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
    "{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
    "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
    "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
    "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
    "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
    "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
    "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
    "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
    "{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
    "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
    "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
    "{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
    "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
    "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
    "{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
    "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
    "{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
    "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
    "{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
    "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
    "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
    "{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
    "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
    "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
    "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
    "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
    "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
    "{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
    "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
    "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
    "{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
    "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
    "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
    "{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
    "{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
    "{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
    "{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
    "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
    "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
    "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
    "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
    "{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
    "{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
    "{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
    "{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
    "{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
    "{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
    "{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
    "{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
    "{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
    "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
    "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
    "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
    "{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
    "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
    "{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
    "{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
    "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
    "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
    "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
    "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
    "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
    "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
    "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
    "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
    "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
    "{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
    "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
    "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
    "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
    "{F5D92341-0A64-11D0-9956-0000E8096023}"="CD Copy Shell Extension"
    "{F5D92342-0A64-11D0-9956-0000E8096023}"="CD Wizard Shell Extension"
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
    "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
    "{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
    "{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}"=""
    "{E9D65FF5-32B0-4437-9585-FED5712D1207}"=""
    "{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}"=""
    "{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}"=""
    "{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}"=""
    "{50811444-8123-4233-A31B-5D55A3751197}"=""
    "{C5B8D122-63E0-4326-9448-679EA0338EC7}"=""

    **********************************************************************************
    HKEY ROOT CLASSIDS:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{37C3FCE9-25F1-403A-886D-0B7E5D965A0E}\InprocServer32]
    @="C:\\WINNT\\system32\\TgkatiRedistributor.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{E9D65FF5-32B0-4437-9585-FED5712D1207}\InprocServer32]
    @="C:\\WINNT\\system32\\ecpsrv.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{5D1578B3-DE5D-458D-B4AB-462E1BC485FF}\InprocServer32]
    @="C:\\WINNT\\system32\\MVVBVM60.DLL"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2F517A1D-006B-4EEB-B9C2-6E8258B5164A}\InprocServer32]
    @="C:\\WINNT\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{E3ED8C11-7F81-44CE-B4BB-327CD65DF789}\InprocServer32]
    @="C:\\WINNT\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{50811444-8123-4233-A31B-5D55A3751197}\InprocServer32]
    @="C:\\WINNT\\system32\\sjrobj.dll"
    "ThreadingModel"="Apartment"

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{C5B8D122-63E0-4326-9448-679EA0338EC7}\InprocServer32]
    @="C:\\WINNT\\system32\\guard.tmp"
    "ThreadingModel"="Apartment"

    **********************************************************************************
    Files Found are not all bad files:

    C:\WINNT\SYSTEM32\
    akupd.dll Thu Jan 13 2005 6:09:02p A.... 155,648 152.00 K
    ciodm.dll Thu Nov 4 2004 11:41:52p A.... 68,880 67.27 K
    coozqy.dll Sun Jan 23 2005 2:41:06p A.... 5,632 5.50 K
    dosync.dll Thu Jan 13 2005 10:47:24p A.... 114,688 112.00 K
    ebbuno.dll Sat Jan 15 2005 9:41:56a A.... 24,576 24.00 K
    hrj005~1.dll Sun Jan 23 2005 5:45:32p ..S.R 223,629 218.39 K
    hypertrm.dll Tue Nov 16 2004 5:47:02a A.... 576,784 563.27 K
    mshtml.dll Mon Oct 25 2004 10:39:16a A.... 2,693,120 2.57 M
    o484le~1.dll Sun Jan 23 2005 5:01:18p A.... 223,005 217.78 K
    riowmsp.dll Mon Dec 13 2004 10:00:44p A.... 1,171,456 1.12 M
    shdocvw.dll Thu Nov 11 2004 11:20:56p A.... 1,332,224 1.27 M
    sp3res.dll Thu Dec 2 2004 9:27:18a ..... 6,272,512 5.98 M
    urlmon.dll Mon Oct 25 2004 10:39:52a A.... 450,048 439.50 K
    user32.dll Wed Dec 29 2004 4:14:10a A.... 380,688 371.77 K

    14 items found: 14 files (1 H/S), 0 directories.
    Total of file sizes: 13,692,890 bytes 13.05 M
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/23/2005 05:45p 223,629 hrj0051me.dll
    01/19/2005 05:43p <DIR> dllcache
    05/10/2000 10:00p 397,312 Msrdo20.dll
    03/13/2000 10:00p 151,552 Rdocurs.dll
    3 File(s) 772,493 bytes
    1 Dir(s) 57,305,837,568 bytes free
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,236
    The tool is not recognizing the files so we'll have to rever to the more tedious removal method.

    Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

    Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

    http://www.downloads.subratam.org/VX2Finder.exe


    Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

    Save it to your desktop.

    Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

    It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

    In a few minutes it will complete then you will see in blue Completed.
    Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

    After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.
     
  9. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    Thanks! I made a donation to the site for all of your help (Hopefully you get a portion) =)
    Brian

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Home\Desktop\Find It NT-2K-XP

    ------- System Files in System32 Directory -------
    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/23/2005 05:45p 223,629 hrj0051me.dll
    01/19/2005 05:43p <DIR> dllcache
    05/10/2000 10:00p 397,312 Msrdo20.dll
    03/13/2000 10:00p 151,552 Rdocurs.dll
    3 File(s) 772,493 bytes
    1 Dir(s) 57,298,395,136 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/23/2005 06:14p 335 vsconfig.xml
    01/19/2005 05:43p <DIR> dllcache
    12/02/2003 08:21a 4,212 zllictbl.dat
    10/04/2003 04:43p <DIR> GroupPolicy
    10/04/2003 04:36p 271 desktop.ini
    10/04/2003 04:36p 21,692 folder.htt
    4 File(s) 26,510 bytes
    2 Dir(s) 57,298,395,136 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    12/07/1999 07:00a 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 57,298,391,040 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{7591635B-8C5A-41E2-BAD5-836F54786397}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
    "Asynchronous"=dword:00000000
    "DllName"="logonnfy.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventConsoleLock"
    "Unlock"="WLEventConsoleUnLock"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\o484lelq1hqe.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000


    ------------------ Locate.com Results ------------------

    C:\WINNT\SYSTEM32\
    hrj005~1.dll Sun Jan 23 2005 5:45:32p ..S.R 223,629 218.39 K
    vsconfig.xml Sun Jan 23 2005 6:14:14p A..H. 335 0.32 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 223,964 bytes 218.71 K

    ------------ Strings.exe Qoologic Results ------------

    C:\WINNT\system32\coozqy.dll: updates.qoologic.com
    C:\WINNT\system32\ebbuno.dll: updates.qoologic.com
    C:\WINNT\system32\hwwmaz.exe: updates.qoologic.com

    -------------- Strings.exe Aspack Results -------------

    C:\WINNT\system32\pbbyka.dat: .aspack
    C:\WINNT\system32\wrrogi.exe: .aspack
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\httpiu.exe: .aspack

    ----------------- HKLM Run Key ------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe /logon"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "PtiuPbmd"="Rundll32.exe Ptipbm.dll,SetWriteBack"
    "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
    "SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
    "Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
    "REGSHAVE"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
    "PinnacleDriverCheck"="C:\\WINNT\\system32\\PSDrvCheck.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
    @=""
    "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
    "Logitech Utility"="Logi_MwX.Exe"
    "ntsmod"="C:\\WINNT\\system32\\ntsmod.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
    "kalvsys"="C:\\winnt\\system32\\kalvfmt32.exe"
    "Narrator"="C:\\WINNT\\system32\\wrrogi.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    

    Log for VX2.BetterInternet File Finder (ALL)

    Files Found---

    Additional Files---

    Keys Under Notify---
    AtiExtEvent
    ATINotify
    crypt32chain
    cryptnet
    cscdll
    sclgntfy
    SensLogn
    SharedDLLs
    wzcnotif


    Guardian Key--- is called:

    Guardian Key--- :

    User Agent String---
    {7591635B-8C5A-41E2-BAD5-836F54786397}






    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    C:\WINNT\SYSTEM32\hrj005~1.dll Sun Jan 23 2005 5:45:32p ..S.R 223,629 218.39 K
    C:\WINNT\SYSTEM32\msrdo20.dll Wed May 10 2000 10:00:00p A.S.. 397,312 388.00 K
    C:\WINNT\SYSTEM32\rdocurs.dll Mon Mar 13 2000 10:00:00p A.S.. 151,552 148.00 K
    ________________________________________________

    1,223 items found: 1,223 files (3 H/S), 0 directories.
    Total of file sizes: 240,928,878 bytes 229.77 M

    Administrator Account = True

    --------------------End log---------------------
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,236
    Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip the file to your desktop.

    Click here: http://www.downloads.subratam.org/KillBox.exe to download Pocket KillBox.

    Unzip the files to the folder of your choice.

    Also I am attaching a fix.zip file to this post. Download fix.zip to your desktop and unzip it.

    IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

    Double click on the fix.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

    Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\hrj0051me.dll
    C:\WINNT\system32\o484lelq1hqe.dll
    C:\WINNT\system32\coozqy.dll
    C:\WINNT\system32\ebbuno.dll
    C:\WINNT\system32\hwwmaz.exe
    C:\WINNT\system32\pbbyka.dat
    C:\WINNT\system32\wrrogi.exe
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\httpiu.exe

    Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

    Next run VX2Finder and click the "Restore Policy" button.

    Now restart your computer.

    Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log and a log from DLLCompare.

    Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
     
  11. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    OK, I followed the instructions to a "t". and here are the logs that you requested:



    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Home\Desktop\Find It NT-2K-XP

    ------- System Files in System32 Directory -------
    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/19/2005 05:43p <DIR> dllcache
    05/10/2000 10:00p 397,312 Msrdo20.dll
    03/13/2000 10:00p 151,552 Rdocurs.dll
    2 File(s) 548,864 bytes
    1 Dir(s) 57,317,683,200 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/23/2005 06:14p 335 vsconfig.xml
    01/19/2005 05:43p <DIR> dllcache
    12/02/2003 08:21a 4,212 zllictbl.dat
    10/04/2003 04:43p <DIR> GroupPolicy
    10/04/2003 04:36p 271 desktop.ini
    10/04/2003 04:36p 21,692 folder.htt
    4 File(s) 26,510 bytes
    2 Dir(s) 57,317,683,200 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    12/07/1999 07:00a 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 57,317,679,104 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{7591635B-8C5A-41E2-BAD5-836F54786397}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
    "Asynchronous"=dword:00000000
    "DllName"="logonnfy.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventConsoleLock"
    "Unlock"="WLEventConsoleUnLock"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\hrj0051me.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000


    ------------------ Locate.com Results ------------------

    C:\WINNT\SYSTEM32\
    vsconfig.xml Sun Jan 23 2005 6:14:14p A..H. 335 0.32 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 335 bytes 0.32 K

    ------------ Strings.exe Qoologic Results ------------


    -------------- Strings.exe Aspack Results -------------


    ----------------- HKLM Run Key ------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe /logon"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "PtiuPbmd"="Rundll32.exe Ptipbm.dll,SetWriteBack"
    "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
    "SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
    "Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
    "REGSHAVE"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
    "PinnacleDriverCheck"="C:\\WINNT\\system32\\PSDrvCheck.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
    @=""
    "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
    "Logitech Utility"="Logi_MwX.Exe"
    "ntsmod"="C:\\WINNT\\system32\\ntsmod.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
    "kalvsys"="C:\\winnt\\system32\\kalvfmt32.exe"
    "Narrator"="C:\\WINNT\\system32\\wrrogi.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    



    Logfile of HijackThis v1.99.0
    Scan saved at 9:54:20 PM, on 1/23/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\system32\ntsmod.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\programfiles\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snkypete.com/forum
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe Ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ntsmod] C:\WINNT\system32\ntsmod.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfmt32.exe
    O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wrrogi.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvtr.exe
    O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    C:\WINNT\SYSTEM32\msrdo20.dll Wed May 10 2000 10:00:00p A.S.. 397,312 388.00 K
    C:\WINNT\SYSTEM32\rdocurs.dll Mon Mar 13 2000 10:00:00p A.S.. 151,552 148.00 K
    ________________________________________________

    1,219 items found: 1,219 files (2 H/S), 0 directories.
    Total of file sizes: 240,452,036 bytes 229.31 M

    Administrator Account = True

    --------------------End log---------------------
     
  12. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    This all may have been done in vain- after that last post, the wonderful computer locked up and rebooted itself ;; I don't know if I should start the whole procedure over, or if the same problem may occur?
    Thanks Again,
    Brian
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,236
    Please post a current Hijack This log and a Findit log. I think we're going to be OK.
     
  14. XPBri

    XPBri Thread Starter

    Joined:
    Jan 23, 2005
    Messages:
    15
    Sorry for the delay in my response. I left the computer on overnight, when I got home from work, it was still up and running =)


    Logfile of HijackThis v1.99.0
    Scan saved at 6:24:13 PM, on 1/24/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINNT\system32\ntsmod.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\programfiles\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snkypete.com/forum
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe Ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ntsmod] C:\WINNT\system32\ntsmod.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfmt32.exe
    O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wrrogi.exe
    O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpsvtr.exe
    O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: strings.exe
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_2_3_0.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINNT\system32\RioMSC.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\Home\Desktop\Find It NT-2K-XP

    ------- System Files in System32 Directory -------
    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/19/2005 05:43p <DIR> dllcache
    05/10/2000 10:00p 397,312 Msrdo20.dll
    03/13/2000 10:00p 151,552 Rdocurs.dll
    2 File(s) 548,864 bytes
    1 Dir(s) 57,248,313,344 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    01/24/2005 06:21p 335 vsconfig.xml
    01/19/2005 05:43p <DIR> dllcache
    12/02/2003 08:21a 4,212 zllictbl.dat
    10/04/2003 04:43p <DIR> GroupPolicy
    10/04/2003 04:36p 271 desktop.ini
    10/04/2003 04:36p 21,692 folder.htt
    4 File(s) 26,510 bytes
    2 Dir(s) 57,248,313,344 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 5CE8-CE59

    Directory of C:\WINNT\System32

    12/07/1999 07:00a 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 57,248,309,248 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{7591635B-8C5A-41E2-BAD5-836F54786397}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ATINotify]
    "Asynchronous"=dword:00000000
    "DllName"="logonnfy.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventConsoleLock"
    "Unlock"="WLEventConsoleUnLock"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\hrj0051me.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000


    ------------------ Locate.com Results ------------------

    C:\WINNT\SYSTEM32\
    vsconfig.xml Mon Jan 24 2005 6:21:10p A..H. 335 0.32 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 335 bytes 0.32 K

    ------------ Strings.exe Qoologic Results ------------


    -------------- Strings.exe Aspack Results -------------


    ----------------- HKLM Run Key ------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe /logon"
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "PtiuPbmd"="Rundll32.exe Ptipbm.dll,SetWriteBack"
    "SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
    "SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\smax4.exe\" /tray"
    "Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "Zone Labs Client"="C:\\PROGRA~1\\ZONELA~1\\ZONEAL~1\\zapro.exe"
    "REGSHAVE"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
    "PinnacleDriverCheck"="C:\\WINNT\\system32\\PSDrvCheck.exe"
    "UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
    "Openwares LiveUpdate"="C:\\Program Files\\LiveUpdate\\LiveUpdate.exe"
    @=""
    "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
    "zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
    "Logitech Utility"="Logi_MwX.Exe"
    "ntsmod"="C:\\WINNT\\system32\\ntsmod.exe"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
    "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
    "kalvsys"="C:\\winnt\\system32\\kalvfmt32.exe"
    "Narrator"="C:\\WINNT\\system32\\wrrogi.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,236
    I am attaching a fix2.zip file to this post. Download fix2.zip to your desktop and unzip it.

    IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

    Double click on the fix2.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

    Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\hrj0051me.dll
    C:\winnt\system32\kalvfmt32.exe"
    C:\WINNT\system32\wrrogi.exe


    Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

    Next run VX2Finder and click the "Restore Policy" button.

    Now restart your computer.

    Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log and a log from DLLCompare.

    Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322670

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice