1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Oh Why Oh Why

Discussion in 'Virus & Other Malware Removal' started by ColleenA, Jun 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    Hope this helps... have to do it in 2 posts though too many characters



    StartupList report, 6/27/2006, 7:39:40 PM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\WINDOWS\system32\ServeHost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\Program Files\SearchNet\SearchNet.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HuaCi\huaci\zsearch.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup]
    csrss.lnk = ?
    »®´ÊËÑË÷.lnk = C:\Program Files\HuaCi\huaci\zsearch.exe

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    SearchNet_Up = "C:\Program Files\SearchNet\ServeUp.exe"
    !ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    zango = "c:\program files\zango\zango.exe"
    UserFaultCheck = %systemroot%\system32\dumprep 0 -u
    t0d = RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    Mysee Alert = "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
    Motive SmartBridge = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
    CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    csrss = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    CdnCtr =

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    warez = "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    csrss =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{4b218e3e-bc98-4770-93d3-2731b9329278}] *
    StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
    HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\SearchNet\SNHpr.dll - {2A0176FE-008B-4706-90F5-BBA532A49731}
    (no name) - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
    (no name) - C:\WINDOWS\Downlo~1\q0tp5k.dll - {3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    (no name) - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}
     
  2. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    here is the 2nd post

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [TruePass EPF 7,0,100,717]
    CODEBASE = https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
    OSD = C:\WINDOWS\Downloaded Program Files\TruePass EPF 7,0,100,717.osd

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [StagingUI Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
    CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

    [ZoneBuddy Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
    CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

    [ZonePAChat Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
    CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

    [Ofoto Upload Manager Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
    CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    [ZPA_HRTZ Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_hrtz.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    [Aurigma Image Uploader 3.5 Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
    CODEBASE = http://www.photolab.ca/en/Photo/ImageUploader3.cab

    [ZPA_SHVL Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_shvl.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab

    [ZooInstaller Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
    CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

    [ZoneIntro Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
    CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\flash8a.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

    [StadiumProxy Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
    CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

    [WheelofFortune Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
    CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

    [PopCapLoader Object]
    InProcServer32 = blank
    CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

    [Solitaire Showdown Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
    CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

    [ZPA_Backgammon Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll
    Protocol #18: C:\WINDOWS\system32\mswsock.dll
    Protocol #19: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    .Net Boot Service: C:\WINDOWS\system32\big5_gb2312.exe (disabled)
    abhcop: system32\drivers\abhcop.sys (system)
    Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD: \SystemRoot\System32\drivers\afd.sys (system)
    Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Anfad: system32\drivers\Anfad.sys (system)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
    RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
    auyj59s7: system32\drivers\auyj59s7.sys (system)
    Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
    CdaD10BA: \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS (autostart)
    CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    CSS DVP: system32\DRIVERS\css-dvp.sys (autostart)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Disk Driver: system32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    dmio: System32\drivers\dmio.sys (disabled)
    dmload: System32\drivers\dmload.sys (disabled)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
    Dot4 HPH09: system32\DRIVERS\hphid409.sys (manual start)
    Print Class Driver for IEEE-1284.4 HPH09: system32\DRIVERS\hphipr09.sys (manual start)
    Storage Class Driver for IEEE-1284.4 (HPH09): System32\Drivers\hphs2k09.sys (manual start)
    Dot4Usb HPH09: System32\drivers\hphius09.sys (manual start)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    DvpApi: "C:\Program Files\Common Files\Command Software\dvpapi.exe" (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
    ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
    ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
    FAD: system32\DRIVERS\FAD.sys (system)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
    VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
    Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
    FltMgr: system32\DRIVERS\fltMgr.sys (system)
    Freedom Miniport: system32\DRIVERS\FREEDOM.SYS (manual start)
    Freedom Filter: System32\Drivers\FreeTdi.sys (system)
    Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
    fu1hme04: \??\C:\WINDOWS\system32\drivers\fu1hme04.sys (system)
    GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
    Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
    hcalway: system32\DRIVERS\hcalway.sys (system)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
    InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
    CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
    IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
    IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
    iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
    IPSEC driver: system32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
    Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
    WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
    MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (manual start)
    Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Net MD: System32\Drivers\NETMDUSB.sys (manual start)
    1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
    Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
    Texas Instruments OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
    PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (manual start)
    Parallel port driver: system32\DRIVERS\parport.sys (manual start)
    PCAMPR5 NDIS Protocol Driver: \??\C:\WINDOWS\system32\PCAMPR5.SYS (manual start)
    PCI Bus Driver: system32\DRIVERS\pci.sys (system)
    PCIIde: system32\DRIVERS\pciide.sys (system)
    Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
    Logitech QuickCam Express(PID_0920): system32\DRIVERS\LV532AV.SYS (manual start)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Pml Driver: C:\WINDOWS\system32\HPHipm09.exe (manual start)
    IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
    WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: system32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
    Rdbss: system32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
    Remote Log: system32\ServeHost.exe (autostart)
    Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: system32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SiS300i: system32\DRIVERS\sis300ip.sys (manual start)
    Service for AC'97 Sample Driver (WDM): system32\drivers\ac97sis.sys (manual start)
    SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
    BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
    Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (manual start)
    System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
    System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Srv: system32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    SonicStage SCSI Service: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
    BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{3237AAD4-75E7-4BEF-ABFA-CC11C6628ABB} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
    Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
    Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 38,118 bytes
    Report generated in 1.723 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,715
    There is a lot to do here and it may involve editing the registry but I would like to start by just doing this for now please.


    This will all be done under Nicholas' profile.


    Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"


    Boot to safe mode and navigate to this folder:

    C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup

    Open the Startup folder and delete these items:

    csrss.lnk

    »®´ÊËÑË÷.lnk


    While in safe mode run Killbox on this folder:

    C:\WINDOWS\system32\ntzwlhyuqk


    Reboot and post the following:

    1. New HijackThis log
    2. New HIjackThis startup log
    3. New WinpFind log
     
  4. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    K, here are the logs

    I will put the WinpFind in a second post

    When I went into Nicholas's start up the only file in there was the EENE file the csrss.ink was not there.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:32:41 PM, on 6/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whiteninjacomics.com/archive-comics.shtml
    F3 - REG:win.ini: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
    F3 - REG:win.ini: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
    O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll
    O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    O4 - Startup: csrss.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
    O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
    O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

    StartupList report, 6/27/2006, 9:35:43 PM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\ServeHost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SearchNet\SearchNet.exe
    C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup]
    csrss.lnk = ?

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    SearchNet_Up = "C:\Program Files\SearchNet\ServeUp.exe"
    !ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    zango = "c:\program files\zango\zango.exe"
    UserFaultCheck = %systemroot%\system32\dumprep 0 -u
    t0d = RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    Mysee Alert = "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
    Motive SmartBridge = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
    CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    csrss = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    CdnCtr =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    warez = "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    csrss =

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
    HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\SearchNet\SNHpr.dll - {2A0176FE-008B-4706-90F5-BBA532A49731}
    (no name) - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
    (no name) - C:\WINDOWS\Downlo~1\q0tp5k.dll - {3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    (no name) - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [StagingUI Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
    CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

    [ZoneBuddy Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
    CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

    [ZonePAChat Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
    CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

    [Ofoto Upload Manager Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
    CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    [ZPA_HRTZ Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_hrtz.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    [Aurigma Image Uploader 3.5 Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
    CODEBASE = http://www.photolab.ca/en/Photo/ImageUploader3.cab

    [ZPA_SHVL Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_shvl.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab

    [ZooInstaller Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
    CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

    [ZoneIntro Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
    CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\flash8a.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

    [StadiumProxy Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
    CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

    [WheelofFortune Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
    CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

    [PopCapLoader Object]
    InProcServer32 = blank
    CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

    [Solitaire Showdown Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
    CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

    [ZPA_Backgammon Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    End of report, 11,456 bytes
    Report generated in 0.190 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    Here is the WinpFind log

    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    PEC2 8/4/2004 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    PECompact2 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 6/8/2006 9:19:50 PM 5967776 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 8:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/4/2004 8:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    winsync 8/4/2004 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    aspack 1/20/2006 3:40:42 PM R 783984 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    6/27/2006 9:31:34 PM S 2048 C:\WINDOWS\bootstat.dat
    6/27/2006 12:08:14 AM H 54156 C:\WINDOWS\QTFont.qfn
    6/17/2006 10:13:24 AM H 65536 C:\WINDOWS\Minidump\Mini061706-01.dmp
    5/14/2006 6:21:52 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
    5/5/2006 10:22:46 AM S 12227 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914389.cat
    5/29/2006 12:16:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
    5/18/2006 3:15:12 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917344.cat
    5/4/2006 6:37:36 PM S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917734.cat
    6/1/2006 4:28:56 PM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
    5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    6/27/2006 9:33:28 PM H 1024 C:\WINDOWS\system32\config\default.LOG
    6/27/2006 9:31:46 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
    6/27/2006 9:41:52 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
    6/27/2006 9:37:34 PM H 1024 C:\WINDOWS\system32\config\software.LOG
    6/27/2006 9:40:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
    6/23/2006 3:15:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    5/28/2006 11:29:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\9b2bfb91-210e-4e5c-add5-a50ad005d879
    5/28/2006 11:29:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
    5/24/2006 5:51:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d27aec55-df77-497b-9804-47a5571b66f9
    5/24/2006 5:51:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
    6/27/2006 9:31:38 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems, Inc. 4/13/2005 3:48:52 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    RealNetworks, Inc. 9/4/2005 9:18:28 PM 24064 C:\WINDOWS\SYSTEM32\prefscpl.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
    Microsoft Corporation 8/4/2004 8:00:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
    Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    8/28/2005 11:15:28 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
    8/26/2005 3:33:14 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    8/26/2005 3:10:16 PM 1672 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NetAssistant.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    8/26/2005 7:50:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
    3/12/2006 6:05:30 PM 1767 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

    Checking files in %USERPROFILE%\Startup folder...
    11/2/2005 11:54:16 PM HS 80 C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\csrss.lnk
    8/26/2005 12:10:22 PM HS 84 C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\desktop.ini

    Checking files in %USERPROFILE%\Application Data folder...
    8/26/2005 7:50:26 AM HS 62 C:\Documents and Settings\Nicholas\Application Data\desktop.ini

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
    = C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
    = C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{FFFFE5C1-34AF-4d4d-B3D3-5BB86A2BAA7B}
    = C:\Program Files\Zero Knowledge\Freedom\AVContextR.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
    Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
    IE Address Browser Helper = C:\Program Files\SearchNet\SNHpr.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3C060EA2-E6A9-4E49-A530-D4657B8C449A}
    PopKill Class = C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    IE Browser Helper = C:\WINDOWS\Downlo~1\q0tp5k.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56071E0D-C61B-11D3-B41C-00E02927A304}
    ZKBho Class = C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\system32\shdocvw.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
    Real.com = C:\WINDOWS\system32\Shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\system32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    {463DF6D5-BEC1-4D67-B217-59DB692DFC53} = :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    SsAAD.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    SearchNet_Up "C:\Program Files\SearchNet\ServeUp.exe"
    !ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    zango "c:\program files\zango\zango.exe"
    UserFaultCheck %systemroot%\system32\dumprep 0 -u
    t0d RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run
    SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    New.net Startup rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    Mysee Alert "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray
    Motive SmartBridge C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    LVCOMS C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
    CXMon "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    csrss C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    CdnCtr

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    warez "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    csrss

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun 145

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 1
    NoAdminPage 1


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
    Debugger = C:\WINDOWS\system32\rundll32.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 6/27/2006 9:44:36 PM
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,715
    I'm signing off for the night but will study this in the morning. :)
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,715
    Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
    Run the program and click the Web button as shown here:
    [​IMG]

    Use this URL to copy into the address bar of the Download script window:
    http://metallica.geekstogo.com/MediaGateway.BFU

    Make sure all IE windows are closed.

    Execute the script by clicking the Execute button.


    Go to Start > Run
    Type:
    • regedit
    Click OK.
    • On the left side, click to highlight My Computer at the top.
    • Go up to "File > Export"
      • Make sure in that window there is a tick next to "All" under Export Branch.
        Leave the "Save As Type" as "Registration Files".
        Under "Filename" put backup
    • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
    • Click save and then go to File > Exit.
    This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


    Click Start - Run - and type in:

    services.msc

    Click OK.

    In the services window find Remote Log - Beijing zhongsou online software.
    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    I'm attaching a FixColleen2.zip file to this post. Unzip it to your desktop but don't do anything with it yet. We will use it later in safe mode.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    F3 - REG:win.ini: load=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe

    F3 - REG:win.ini: run=C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe

    O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

    O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll

    O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

    O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

    O4 - HKLM\..\Run: [t0d] RunDll32 "C:\WINDOWS\Downlo~1\t0d.dll",Run

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

    O4 - HKLM\..\Run: [Mysee Alert] "C:\Program Files\GAOV\Mysee Alert\Mysee Alert.exe" -notray

    O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    O4 - Startup: csrss.lnk = ?

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab

    O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe



    Reboot to safe mode and run Killbox on these files/folders:

    C:\Program Files\Wsearch

    C:\Program Files\searchnet\serveup.exe

    C:\Program Files\SearchNet\searchnet.exe

    C:\Program Files\SearchNet\uninstall.exe

    C:\Program Files\SearchNet\srvnet32.dll

    C:\WINDOWS\system32\drivers\anfad.sys

    C:\WINDOWS\system32\drivers\fad.sys

    C:\WINDOWS\system32\snhpr.dll

    C:\WINDOWS\system32\srvnet32.dll

    C:\WINDOWS\system32\drivers\xcvmp7.sys

    C:\WINDOWS\system32\drivers\anfad.sys

    C:\WINDOWS\system32\drivers\svq0hve.sys

    C:\WINDOWS\system32\drivers\xcvmp7.sys

    C:\WINDOWS\system32\servehost.dat

    C:\WINDOWS\system32\servehost.exe

    C:\Documents and Settings\Nicholas\Start Menu\Programs\Startup\csrss.lnk

    C:\Program Files\SearchNet\SNHpr.dll

    C:\WINDOWS\Downlo~1\q0tp5k.dll

    C:\WINDOWS\system32\ntzwlhyuqk\csrss.exe

    C:\WINDOWS\system32\ntzwlhyuqk

    c:\program files\zango\zango.exe

    c:\program files\zango

    C:\PROGRAM FILES\NEWDOTNET

    C:\Program Files\GAOV\Mysee Alert



    While still in safe mode double click on the FixColleen2.reg file that you unzipped to your desktop earlier and allow it to enter into the registry.

    Reboot and post a new HijackThis log for Nicholas please.
     

    Attached Files:

  8. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    do i run the BFU on Nicholas profile or mine?
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,715
    Run everything while in Nicholas' account please.
     
  10. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    K that was a little more confusing even though I could follow it.

    First off, when i ran the first Hijack on Nicholas' account to fix the problems. There were two files not there.

    O2 - BHO: IE Browser Helper - {3CE496D1-1746-41CD-9489-3C0B93DF10E2} - C:\WINDOWS\Downlo~1\q0tp5k.dll

    O4 - HKLM\..\Run: [csrss] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    Then when I rebooted to safe mode I could not get into Nicholas' account to run Killbox, so I ran it on mine but put in the files you indicated (so to me that should be fine 'cause I think it searches the whole machine for the file).
    Most of the files did not exist or could not be deleted. Only 2 files were actually deleted. Let me know if you need to know which files did not exist and which ones could not be deleted.

    Here is Nicholas' new hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 5:33:26 PM, on 6/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\SearchNet\ServeUp.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whiteninjacomics.com/archive-comics.shtml
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
    O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
    O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
    O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

    Thanks
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,715
    Alright, we will finish up with Nicholas later.

    Let's go back to your account and please post a current HijackThis scan log as well as a HijackThis start up log please.
     
  12. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    Here are my two most recent logs. I will have to put the start up log in a separate post

    Logfile of HijackThis v1.99.1
    Scan saved at 6:48:41 PM, on 6/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\ServeHost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\Program Files\SearchNet\SearchNet.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll
    O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
    O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab
    O16 - DPF: {A9FDC7FD-FE81-4910-8CF2-FA59EEFE11EC} (ZooInstaller Class) - http://www.zoo-games.com/ClientSite/ZooInstaller.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{37C2D4C1-A9A2-4B71-987F-7E1D20FD8E3E}: NameServer = 67.69.184.151 206.47.244.57
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

    Thanks
     
  13. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    Here is my start up log it is in 2 separate posts as it is too large.

    StartupList report, 6/28/2006, 6:49:14 PM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\ServeHost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\Program Files\SearchNet\SearchNet.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Colleen\Desktop\HiJack\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Colleen\Start Menu\Programs\Startup]
    LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    HPDJ Taskbar Utility = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    SsAAD.exe = C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    SearchNet_Up = "C:\Program Files\SearchNet\ServeUp.exe"
    !ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Motive SmartBridge = C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
    CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    warez = "C:\Documents and Settings\Nicholas\My Documents\game\Warez P2P Client\warez.exe" -h
    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{4b218e3e-bc98-4770-93d3-2731b9329278}] *
    StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
     
  14. ColleenA

    ColleenA Thread Starter

    Joined:
    Feb 18, 2002
    Messages:
    295
    Here is the second part of start up log

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\SearchNet\SNHpr.dll - {2A0176FE-008B-4706-90F5-BBA532A49731}
    (no name) - C:\Program Files\Zero Knowledge\Freedom\pkR.dll - {3C060EA2-E6A9-4E49-A530-D4657B8C449A}
    (no name) - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll - {56071E0D-C61B-11D3-B41C-00E02927A304}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [TruePass EPF 7,0,100,717]
    CODEBASE = https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
    OSD = C:\WINDOWS\Downloaded Program Files\TruePass EPF 7,0,100,717.osd

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [StagingUI Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
    CODEBASE = http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab

    [ZoneBuddy Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
    CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

    [ZonePAChat Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
    CODEBASE = http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab

    [Ofoto Upload Manager Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\axofupld.dll
    CODEBASE = http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

    [ZPA_HRTZ Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_hrtz.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab37625.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    [Aurigma Image Uploader 3.5 Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
    CODEBASE = http://www.photolab.ca/en/Photo/ImageUploader3.cab

    [ZPA_SHVL Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\zpa_shvl.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/zpa_shvl.cab46704.cab

    [ZooInstaller Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZooInstaller.dll
    CODEBASE = http://www.zoo-games.com/ClientSite/ZooInstaller.cab

    [ZoneIntro Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
    CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

    [Java Plug-in 1.5.0_03]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\flash8a.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

    [StadiumProxy Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
    CODEBASE = http://zone.msn.com/binframework/v10/StProxy.cab41227.cab

    [WheelofFortune Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\WoF.ocx
    CODEBASE = http://messenger.zone.msn.com/binary/WoF.cab31267.cab

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

    [Solitaire Showdown Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
    CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

    [ZPA_Backgammon Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
    CODEBASE = http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab36385.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: C:\WINDOWS\system32\mswsock.dll
    Protocol #2: C:\WINDOWS\system32\mswsock.dll
    Protocol #3: C:\WINDOWS\system32\mswsock.dll
    Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\mswsock.dll
    Protocol #10: C:\WINDOWS\system32\mswsock.dll
    Protocol #11: C:\WINDOWS\system32\mswsock.dll
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll
    Protocol #18: C:\WINDOWS\system32\mswsock.dll
    Protocol #19: C:\WINDOWS\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    .Net Boot Service: C:\WINDOWS\system32\big5_gb2312.exe (disabled)
    abhcop: system32\drivers\abhcop.sys (system)
    Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD: \SystemRoot\System32\drivers\afd.sys (system)
    Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    Anfad: system32\drivers\Anfad.sys (system)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
    RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
    auyj59s7: system32\drivers\auyj59s7.sys (system)
    Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
    CdaD10BA: \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS (autostart)
    CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    CSS DVP: system32\DRIVERS\css-dvp.sys (autostart)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Disk Driver: system32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    dmio: System32\drivers\dmio.sys (disabled)
    dmload: System32\drivers\dmload.sys (disabled)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
    Dot4 HPH09: system32\DRIVERS\hphid409.sys (manual start)
    Print Class Driver for IEEE-1284.4 HPH09: system32\DRIVERS\hphipr09.sys (manual start)
    Storage Class Driver for IEEE-1284.4 (HPH09): System32\Drivers\hphs2k09.sys (manual start)
    Dot4Usb HPH09: System32\drivers\hphius09.sys (manual start)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    DvpApi: "C:\Program Files\Common Files\Command Software\dvpapi.exe" (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
    ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
    ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
    FAD: system32\DRIVERS\FAD.sys (system)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
    VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: system32\DRIVERS\fetnd5.sys (manual start)
    Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
    FltMgr: system32\DRIVERS\fltMgr.sys (system)
    Freedom Miniport: system32\DRIVERS\FREEDOM.SYS (manual start)
    Freedom Filter: System32\Drivers\FreeTdi.sys (system)
    Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
    fu1hme04: \??\C:\WINDOWS\system32\drivers\fu1hme04.sys (system)
    GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
    Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
    hcalway: system32\DRIVERS\hcalway.sys (system)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
    InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
    CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
    IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
    IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
    iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
    IPSEC driver: system32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
    Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
    WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
    MSCSPTISRV: "C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (manual start)
    Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
    Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
    Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Net MD: System32\Drivers\NETMDUSB.sys (manual start)
    1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
    Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
    Texas Instruments OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
    PACSPTISVR: "C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (manual start)
    Parallel port driver: system32\DRIVERS\parport.sys (manual start)
    PCAMPR5 NDIS Protocol Driver: \??\C:\WINDOWS\system32\PCAMPR5.SYS (manual start)
    PCI Bus Driver: system32\DRIVERS\pci.sys (system)
    PCIIde: system32\DRIVERS\pciide.sys (system)
    Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
    Logitech QuickCam Express(PID_0920): system32\DRIVERS\LV532AV.SYS (manual start)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Pml Driver: C:\WINDOWS\system32\HPHipm09.exe (manual start)
    IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
    WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: system32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\Drivers\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
    Rdbss: system32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
    Remote Log: system32\ServeHost.exe (autostart)
    Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: system32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SiS300i: system32\DRIVERS\sis300ip.sys (manual start)
    Service for AC'97 Sample Driver (WDM): system32\drivers\ac97sis.sys (manual start)
    SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
    BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
    Sony USB Filter Driver (SONYPVU1): system32\DRIVERS\SONYPVU1.SYS (manual start)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Sony SPTI Service: "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (manual start)
    System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
    System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
    Srv: system32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    SonicStage SCSI Service: C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
    BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{3237AAD4-75E7-4BEF-ABFA-CC11C6628ABB} (manual start)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
    Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
    Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *Registry key not found*

    --------------------------------------------------

    End of report, 37,643 bytes
    Report generated in 0.341 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,715
    Under your account please do the following:

    Create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

    In the System Restore wizard, select Create a restore point and click the Next button.

    Type a name for your new restore point then click on Create.


    I'm attaching a FixColleen3.reg file to this post. Save it to your desktop but don't do anything with it yet. We will use it later in safe mode.


    Click Start - Run - and type in:

    services.msc

    Click OK.

    In the services window find abhcop.
    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    Repeat the above steps for each of the following services:

    abhcop
    Anfad
    FAD
    fu1hme04
    auyj59s7
    hcalway
    Remote Log



    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    O2 - BHO: IE Address Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\Program Files\SearchNet\SNHpr.dll

    O4 - HKLM\..\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"

    O23 - Service: Remote Log - Beijing zhongsou online software - C:\WINDOWS\system32\ServeHost.exe



    Reboot into safe mode and run Killbox on these files/folders:

    C:\Program Files\SearchNet\SNHpr.dll

    C:\Program Files\SearchNet

    C:\WINDOWS\system32\big5_gb2312.exe

    C:\WINDOWS\system32\drivers\abhcop.sys

    C:\WINDOWS\system32\drivers\Anfad.sys

    C:\WINDOWS\system32\DRIVERS\FAD.sys

    C:\WINDOWS\system32\drivers\fu1hme04.sys

    C:\WINDOWS\system32\drivers\auyj59s7.sys

    C:\WINDOWS\system32\DRIVERS\hcalway.sys

    C:\WINDOWS\system32\ServeHost.exe



    While still in safe mode, unzip the FixColleen3.zip file on your desktop. Double click the FixColleen3.reg file and allow it to enter into the registry.


    Reboot and post a new HijackThis log please.
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/477771