1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Slow browsing

Discussion in 'Web & Email' started by iain999, Jul 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    My computer has suddenly really slowed down when using the net, and occassionally I log onto a website, eg. when browsing holidays, only to be kicked out and this appears in the address bar - http://64.40.106.134/dns/?err=dns
    I use XP, run AVG, spybot and adaware.
    Anyone got any ideas?
    Thanks,
    Iain.
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    Please do this:

    Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    Logfile of HijackThis v1.99.1
    Scan saved at 13:26:23, on 25/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsf68.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file://E:\0000C5DD\mo02p01a\common\en\online\code\odweb.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2106.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn851.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba1402.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.



    • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run Ewido and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
    • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


    • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
      IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • Ewido will now begin the scanning process. Be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close Ewido and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.
     
  5. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    Logfile of HijackThis v1.99.1
    Scan saved at 20:10:20, on 26/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsf68.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file://E:\0000C5DD\mo02p01a\common\en\online\code\odweb.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2106.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn851.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba1402.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    Incident Status Location

    Adware:adware/cws Not disinfected C:\Documents and Settings\Iain\Favorites\Shop
    Spyware:spyware/searchcentrix Not disinfected Windows Registry
    Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
    Adware:adware/powerscan Not disinfected Windows Registry
    Dialer:dialer.xd Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{FF3F0F03-0F01-131A-A3F9-08F02B23E0CC}
    Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Iain\Cookies\[email protected][2].txt
    Virus:Trj/Downloader.AMW Disinfected C:\WINDOWS\Downloaded Program Files\sc.inf
    Virus:Bck/Dumador.DZ Disinfected C:\WINDOWS\iccontrol.exe
    Virus:Trj/Zapchast.BI Disinfected C:\winupd.bat
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 18:08:09 26/07/2006

    + Scan result:



    C:\Program Files\Common Files\dbaqfsuo\dcldaumumm\lpsemceae.exe -> Adware.Gator : Cleaned with backup (quarantined).
    C:\Program Files\Common Files\dbaqfsuo\fdudrdcm\rnscmdrt.exe -> Adware.Gator : Cleaned with backup (quarantined).
    HKLM\SYSTEM\ControlSet006\Services\HTTP -> Adware.SpyHeal : Error during cleaning.
    HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters -> Adware.SpyHeal : Error during cleaning.
    HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters\SslBindingInfo -> Adware.SpyHeal : Cleaned with backup (quarantined).
    HKLM\SYSTEM\ControlSet006\Services\HTTP\Parameters\UrlAclInfo -> Adware.SpyHeal : Cleaned with backup (quarantined).
    HKLM\SYSTEM\ControlSet006\Services\HTTP\Security -> Adware.SpyHeal : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\dba1305.exe -> Dialer.GBDialer.c : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\dba2093.exe -> Dialer.GBDialer.c : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\dba851.exe -> Dialer.GBDialer.c : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba1305.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba2093.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba1305.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba2093.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba1305.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba2093.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.3\gba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.4\dba1305.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.4\gba263.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.5\dba1305.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.6\dba1305.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\dba1862.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\gba2106.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbn1342.exe -> Dialer.Generic : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\dba263.exe -> Dialer.Generic : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\gba263.exe -> Dialer.Generic : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\gbn1342.exe -> Dialer.Generic : Cleaned with backup (quarantined).
    C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\drivers\etc\hosts.20050415-121329.backup -> Trojan.Bambo.Hosts.A : Cleaned with backup (quarantined).


    ::Report end
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    Please download SmitfraudFix (by S!Ri)

    Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop. This is imperative for the tool to function properly. If using a utility such as winzip you will have to direct it there as it will not unzip to the desktop by default. The desination location should look like this (C: being your primary drive): C:\Documents and Settings\User\Desktop\SmitfraudFix

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  7. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    SmitFraudFix v2.75b

    Scan done at 12:13:48.09, 27/07/2006
    Run from C:\Documents and Settings\Iain\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Iain\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Iain\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    Sorry for the delay but I was away for a few days.

    Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Don’t do anything with it yet!


    Click here for info on how to boot to safe mode if you don't already know how.


    Reboot into Safe Mode.


    Double click WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    Reboot back to Normal Mode!


    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Copy and paste WinPFind.txt in your next post here please.
     
  9. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    Hi again, thanks for your latest advice, here goes............

    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...
    PEC2 26/11/2005 13:27:04 2797582 C:\Program Files\Deutsch Pro Evolution Soccer 5 crack.exe
    PECompact2 26/11/2005 13:27:04 2797582 C:\Program Files\Deutsch Pro Evolution Soccer 5 crack.exe
    PEC2 26/11/2005 13:27:04 2797621 C:\Program Files\Pro Evolution Soccer 5 cracked.exe
    PECompact2 26/11/2005 13:27:04 2797621 C:\Program Files\Pro Evolution Soccer 5 cracked.exe
    PEC2 19/09/2005 20:34:14 2797577 C:\Program Files\US Pro Evolution Soccer 5 crack.exe
    PECompact2 19/09/2005 20:34:14 2797577 C:\Program Files\US Pro Evolution Soccer 5 crack.exe

    Checking %WinDir% folder...
    UPX! 08/01/2005 21:32:18 65536 C:\WINDOWS\IFinst27.exe
    UPX! 10/10/2005 12:35:44 54272 C:\WINDOWS\madchook.dll
    UPX! 08/10/2003 06:00:08 44032 C:\WINDOWS\Unwash5.exe

    Checking %System% folder...
    PEC2 23/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PTech 19/06/2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    aspack 07/07/2006 02:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    UPX! 27/04/2006 17:49:30 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
    UPX! 09/01/2006 10:36:04 42496 C:\WINDOWS\SYSTEM32\swreg.exe
    UPX! 09/01/2006 10:36:06 40960 C:\WINDOWS\SYSTEM32\swsc.exe
    winsync 23/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 19/06/2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    UPX! 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    FSG! 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PEC2 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    aspack 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    30/07/2006 18:33:10 S 2048 C:\WINDOWS\bootstat.dat
    30/07/2006 17:51:24 H 48882 C:\WINDOWS\system32\vsconfig.xml
    26/07/2006 16:55:08 H 4212 C:\WINDOWS\system32\zllictbl.dat
    01/06/2006 21:28:56 S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
    19/06/2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    30/07/2006 18:33:02 H 8192 C:\WINDOWS\system32\config\default.LOG
    30/07/2006 18:33:24 H 1024 C:\WINDOWS\system32\config\SAM.LOG
    30/07/2006 18:33:12 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
    30/07/2006 18:33:26 H 73728 C:\WINDOWS\system32\config\software.LOG
    30/07/2006 18:33:26 H 942080 C:\WINDOWS\system32\config\system.LOG
    12/07/2006 16:04:50 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    30/07/2006 18:32:08 H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Avance Logic, Inc. 22/07/2002 07:28:00 973824 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
    Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Ahead Software AG 23/12/2003 16:40:52 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
    Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems, Inc. 10/11/2005 13:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    NVIDIA Corporation 20/07/2005 21:07:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
    Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Apple Computer, Inc. 23/09/2004 19:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
    Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
    Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    NVIDIA Corporation 31/07/2002 00:50:00 118784 C:\WINDOWS\SYSTEM32\WinFast\Graphics\nvtuicpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    08/04/2006 16:55:52 1687 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    23/02/2004 12:22:12 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

    Checking files in %USERPROFILE%\Startup folder...

    Checking files in %USERPROFILE%\Application Data folder...
    23/02/2004 12:22:12 62 C:\Documents and Settings\Iain\Application Data\desktop.ini
    26/05/2006 14:07:58 23 C:\Documents and Settings\Iain\Application Data\inifile41.ini
    16/07/2006 12:46:56 0 C:\Documents and Settings\Iain\Application Data\internaldb153.dat
    30/07/2006 18:31:36 338 C:\Documents and Settings\Iain\Application Data\internaldb1942.dat
    26/05/2006 14:08:08 0 C:\Documents and Settings\Iain\Application Data\internaldb2391.dat
    03/06/2006 21:18:24 0 C:\Documents and Settings\Iain\Application Data\internaldb3902.dat
    30/07/2006 18:29:02 0 C:\Documents and Settings\Iain\Application Data\internaldb4604.dat
    28/07/2006 20:25:20 122880 C:\Documents and Settings\Iain\Application Data\internaldb4827.dat
    30/07/2006 18:29:02 13046 C:\Documents and Settings\Iain\Application Data\internaldb5436.dat
    16/06/2006 13:52:34 0 C:\Documents and Settings\Iain\Application Data\internaldb9912.dat

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
    {6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
    {6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED7D3DE-6DBE-4516-8712-01B1B64B7057}
    ohb Class = C:\WINDOWS\system32\SearchTool\nsf68.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText = Research :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
    Shell Search Band = %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{85E0B171-04FA-11D1-B7DA-00A0C90348D7}
    Search Tool = C:\WINDOWS\system32\SearchTool\SearchTool.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
    {C34302DA-242D-98CC-985D-F008F8698362} = first ooze data : C:\PROGRA~1\ACTIVE~1\Eq Bird.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    SoundMan SOUNDMAN.EXE
    NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
    TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    nwiz nwiz.exe /install
    AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
    Motive SmartBridge C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    MMTray "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    mmtask "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    WatchDog C:\Program Files\mobile PhoneTools\WatchDog.exe
    Zone Labs Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    !ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    WebCamRT.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun ‘
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    DisableRegistryTools 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 30/07/2006 18:40:27
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: or whatever your primary drive is)
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with this yet!

    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select alcanshorty.bfu
    • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
    Reboot into normal windows.


    Come back here and post a new HijackThis log along with a new WinpFind log please.
     
  11. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    Hi, Sorry for the delay, I was away for a few days, thanks, Iain.

    Logfile of HijackThis v1.99.1
    Scan saved at 13:44:45, on 07/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Documents and Settings\Iain\Desktop\WinPFind\winpfind.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchTool\nsf68.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file://E:\0000C5DD\mo02p01a\common\en\online\code\odweb.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2106.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn851.exe
    O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gba1402.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    May I see a new WinpFind log as well please, as requested.
     
  13. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    sorry, overlooked that............


    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...
    PEC2 26/11/2005 13:27:04 2797582 C:\Program Files\Deutsch Pro Evolution Soccer 5 crack.exe
    PECompact2 26/11/2005 13:27:04 2797582 C:\Program Files\Deutsch Pro Evolution Soccer 5 crack.exe
    PEC2 26/11/2005 13:27:04 2797621 C:\Program Files\Pro Evolution Soccer 5 cracked.exe
    PECompact2 26/11/2005 13:27:04 2797621 C:\Program Files\Pro Evolution Soccer 5 cracked.exe
    PEC2 19/09/2005 20:34:14 2797577 C:\Program Files\US Pro Evolution Soccer 5 crack.exe
    PECompact2 19/09/2005 20:34:14 2797577 C:\Program Files\US Pro Evolution Soccer 5 crack.exe

    Checking %WinDir% folder...
    UPX! 08/01/2005 21:32:18 65536 C:\WINDOWS\IFinst27.exe
    UPX! 10/10/2005 12:35:44 54272 C:\WINDOWS\madchook.dll
    UPX! 08/10/2003 06:00:08 44032 C:\WINDOWS\Unwash5.exe

    Checking %System% folder...
    PEC2 23/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
    PTech 19/06/2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
    aspack 07/07/2006 02:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    UPX! 27/04/2006 17:49:30 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
    UPX! 09/01/2006 10:36:04 42496 C:\WINDOWS\SYSTEM32\swreg.exe
    UPX! 09/01/2006 10:36:06 40960 C:\WINDOWS\SYSTEM32\swsc.exe
    winsync 23/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
    PTech 19/06/2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

    Checking %System%\Drivers folder and sub-folders...
    UPX! 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    FSG! 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PEC2 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    aspack 24/05/2006 19:43:10 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
    PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    08/08/2006 21:37:02 S 2048 C:\WINDOWS\bootstat.dat
    07/08/2006 09:11:20 H 54156 C:\WINDOWS\QTFont.qfn
    07/08/2006 13:30:06 HS 7680 C:\WINDOWS\Thumbs.db
    08/08/2006 21:39:52 H 0 C:\WINDOWS\LastGood\INF\oem72.inf
    08/08/2006 21:39:52 H 0 C:\WINDOWS\LastGood\INF\oem72.PNF
    08/08/2006 21:38:54 H 48882 C:\WINDOWS\system32\vsconfig.xml
    26/07/2006 16:55:08 H 4212 C:\WINDOWS\system32\zllictbl.dat
    19/06/2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
    08/08/2006 21:47:50 H 1024 C:\WINDOWS\system32\config\default.LOG
    08/08/2006 21:37:08 H 1024 C:\WINDOWS\system32\config\SAM.LOG
    08/08/2006 21:47:20 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
    08/08/2006 21:48:12 H 1024 C:\WINDOWS\system32\config\software.LOG
    08/08/2006 21:40:12 H 1024 C:\WINDOWS\system32\config\system.LOG
    12/07/2006 16:04:50 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
    08/08/2006 21:37:10 H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Avance Logic, Inc. 22/07/2002 07:28:00 973824 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
    Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Ahead Software AG 23/12/2003 16:40:52 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
    Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Sun Microsystems, Inc. 10/11/2005 13:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
    Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
    Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
    Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    NVIDIA Corporation 20/07/2005 21:07:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
    Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
    Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Apple Computer, Inc. 23/09/2004 19:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
    Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
    Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
    Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
    Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
    Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
    NVIDIA Corporation 31/07/2002 00:50:00 118784 C:\WINDOWS\SYSTEM32\WinFast\Graphics\nvtuicpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    08/04/2006 16:55:52 1687 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    23/02/2004 12:22:12 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

    Checking files in %USERPROFILE%\Startup folder...

    Checking files in %USERPROFILE%\Application Data folder...
    23/02/2004 12:22:12 62 C:\Documents and Settings\Iain\Application Data\desktop.ini
    26/05/2006 14:07:58 23 C:\Documents and Settings\Iain\Application Data\inifile41.ini
    07/08/2006 08:55:50 0 C:\Documents and Settings\Iain\Application Data\internaldb153.dat
    08/08/2006 21:43:40 338 C:\Documents and Settings\Iain\Application Data\internaldb1942.dat
    26/05/2006 14:08:08 0 C:\Documents and Settings\Iain\Application Data\internaldb2391.dat
    03/06/2006 21:18:24 0 C:\Documents and Settings\Iain\Application Data\internaldb3902.dat
    07/08/2006 17:04:08 0 C:\Documents and Settings\Iain\Application Data\internaldb4604.dat
    07/08/2006 08:55:56 124928 C:\Documents and Settings\Iain\Application Data\internaldb4827.dat
    07/08/2006 17:04:08 13046 C:\Documents and Settings\Iain\Application Data\internaldb5436.dat
    07/08/2006 08:55:50 0 C:\Documents and Settings\Iain\Application Data\internaldb9912.dat

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
    {6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
    {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
    {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
    {6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ED7D3DE-6DBE-4516-8712-01B1B64B7057}
    ohb Class = C:\WINDOWS\system32\SearchTool\nsf68.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText = Research :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
    Shell Search Band = %SystemRoot%\system32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{85E0B171-04FA-11D1-B7DA-00A0C90348D7}
    Search Tool = C:\WINDOWS\system32\SearchTool\SearchTool.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
    {C34302DA-242D-98CC-985D-F008F8698362} = first ooze data : C:\PROGRA~1\ACTIVE~1\Eq Bird.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    SoundMan SOUNDMAN.EXE
    NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
    TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    nwiz nwiz.exe /install
    AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
    Motive SmartBridge C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
    MMTray "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    mmtask "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    WatchDog C:\Program Files\mobile PhoneTools\WatchDog.exe
    Zone Labs Client "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL Installed = 1
    MAPI Installed = 1
    MSFS Installed = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe
    ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
    WebCamRT.exe

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun ‘
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    = WgaLogon.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 08/08/2006 21:48:26
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,316
    What are all these?

    C:\Program Files\Deutsch Pro Evolution Soccer 5 crack.exe
    C:\Program Files\Deutsch Pro Evolution Soccer 5 crack.exe
    C:\Program Files\Pro Evolution Soccer 5 cracked.exe
    C:\Program Files\Pro Evolution Soccer 5 cracked.exe
    C:\Program Files\US Pro Evolution Soccer 5 crack.exe
    C:\Program Files\US Pro Evolution Soccer 5 crack.exe
     
  15. iain999

    iain999 Thread Starter

    Joined:
    Oct 29, 2004
    Messages:
    49
    They must have been something to do with a soccer game I had, I dont need them now though.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/485638

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice