1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HJT Log to Review

Discussion in 'Virus & Other Malware Removal' started by KtuluCJ77, Jan 31, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    Hi, I've been having some troubles with this computer since last week when I got a nasty trojan from a torrent file. It's the one that poses as a Windows Update file with the red shield in your task bar and such. (I believe it was the same issue as seen in this thread - http://forums.techguy.org/security/537820-trogen-adclicker.html) I also got the newdotnet file that screwed up my internet connection from the registry and everything. After fixing what I could, I know there's still something else that's up but I'm not really sure what. Think-Adz still seems to be lurking on here, and when I open Firefox, I get an IE message asking me whether I want to connect or stay online despite already being connected and browsing with Firefox. Those are the only problems I can think of at the moment, but as I said, I know something has to be up. I know trojans can really screw up a computer.

    Here's a current HJT log for anyone that may be able to see something in there that seems fishy:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:55:57 PM, on 1/31/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Dot.LAFFO1999\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinmoea.exe OLI001
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - -C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

    The file missing stuff worries me a good bit, and even though I've read wuauclt.exe is a windows file elsewhere online, anytime I've ever seen it running it seems there's been something wrong. If anyone sees anything screwy, please let me know.

    By the way, I tried simply reinstalling XP, but the computer gives me a missing file message and won't let me finish the setup. I searched the file online but found nothing about it - it's ajd9kxxc.sys.

    Thanks.
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Do you have an active anti-virus? Or was AVG removed?
     
  3. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    AVG still seems to work on it
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download AVG Anti-Spyware from HERE and save that file to your desktop.

    When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
    4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
    1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
    2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG will now begin the scanning process. Please be patient as this may take a little time.
      Once the scan is complete, do the following:
    5. If you have any infections you will be prompted. Then select "Apply all actions."
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
    8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.


    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
     
  5. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:56:13 PM, on 2/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Dot.LAFFO1999\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinmoea.exe OLI001
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinmoea.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - -C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

    Panda Log:

    Incident Status Location

    Virus:trj/torpig.a Disinfected Operating system
    Adware:adware/adblock Not disinfected c:\windows\downloaded program files\aphelper.dll
    Adware:adware/2search Not disinfected c:\program files\2search
    Adware:adware/activesearch Not disinfected c:\program files\411Ferret
    Adware:adware/commad Not disinfected Windows Registry
    Adware:adware/browserplugin Not disinfected Windows Registry
    Adware:adware/ipbill Not disinfected Windows Registry
    Adware:adware/adsincontext Not disinfected Windows Registry
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt[.winantivirus.com/]
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt[stats1.reliablestats.com/]
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt[winantivirus.com/]
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Cookies\[email protected][2].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Cookies\[email protected][2].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Dot.LAFFO1999\Local Settings\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\Cache\A23E4567d01
    Possible Virus. Not disinfected C:\Program Files\Common Files\System\ServiceUpd.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
    Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cvratihk.dll
    Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\xwxtegye.dll

    AVG:

    C:\SDFix\backups\backups.zip/backups/autosys.exe -> Downloader.Obfuscated.bh : No action taken.
    C:\!KillBox\ctpmon.exe -> Hijacker.Agent.is : No action taken.
    C:\ifmkarh.exe -> Hijacker.Agent.is : No action taken.
    :mozilla.13:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
    :mozilla.14:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
    :mozilla.21:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
    :mozilla.15:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
    :mozilla.16:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
    :mozilla.17:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
    :mozilla.18:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
    :mozilla.19:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
    :mozilla.20:C:\Documents and Settings\Dot.LAFFO1999\Application Data\Mozilla\Firefox\Profiles\kvy3yokh.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
    C:\Documents and Settings\Dot.LAFFO1999\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : No action taken.
    :mozilla.153:C:\Documents and Settings\Dot\Application Data\Mozilla\Firefox\Profiles\p0zln78g.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
    :mozilla.154:C:\Documents and Settings\Dot\Application Data\Mozilla\Firefox\Profiles\p0zln78g.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
    :mozilla.155:C:\Documents and Settings\Dot\Application Data\Mozilla\Firefox\Profiles\p0zln78g.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.


    ::Report end

    I guess I should've done the Panda scan to begin with, I only see it suggested on here a million times eh?

    Anyway, I installed the free ewido version of AVG. Even though my full 7.5 version was still working, it could no longer update due to the missing files I assume. I already had the older ewido, but I'm totally updated on everything now.

    I wasn't finding any of the things in the logs here after I followed the thread I posted until now with the updated programs, I suppose it could've been due to my AVG being damaged? Either way, I feel pretty dumb right now, after doing all I knew to do already, then following the thread with the similar problem, and I still have problems. Pretty annoying. I guess that's what I get for thinking I know my stuff hmm?
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download and run VundoFix: http://www.atribune.org/ccount/click.php?id=4
    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HijackThis log.
     
  7. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    Vundo:


    VundoFix V4.2.22
    Scan started at 5:26:02 PM 2/2/2007

    Listing files found while scanning....


    C:\WINDOWS\system32\nqtwa.bak1
    C:\WINDOWS\system32\nqtwa.bak2
    C:\WINDOWS\system32\nqtwa.ini
    C:\WINDOWS\system32\awtqn.dll
    Attempting to delete C:\WINDOWS\system32\nqtwa.bak1
    C:\WINDOWS\system32\nqtwa.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nqtwa.bak2
    C:\WINDOWS\system32\nqtwa.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\nqtwa.ini
    C:\WINDOWS\system32\nqtwa.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\awtqn.dll
    C:\WINDOWS\system32\awtqn.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:29:04 PM, on 2/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Dot.LAFFO1999\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinmoea.exe OLI001
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinmoea.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - -C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

    I'm getting some IE pop ups when I click Firefox, and Spybot informs me something is trying to install browser helper objects. It also told me something was trying to remove the new AVG.
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download WinPFind.exe to your desktop and double click on it open it and then select “extract” to extract the files. This will create a folder named WinPFind on your desktop.

    Start in Safe Mode Using the F8 method:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.

    Double click on the WinPFind folder on your desktop to open it and then double click on the WinPFind.exe file to start the program.

    • Click “Configure scan options”
    • Under “Run AdOns” select the following:
      • Policies.def
      • Security.def
    • Click “apply”
    • Click "Start Scan"
    • It will scan the entire System, so please be patient and let it complete.


    When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new Hijack This log.
     
  9. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Logfile created on: 2/3/2007 2:34:09 AM
    WinPFind v1.5.0 Folder = C:\Documents and Settings\Dot.LAFFO1999\Desktop\WinPFind\
    Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
    Internet Explorer (Version = 6.0.2900.2180)

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...

    Checking %WinDir% folder...

    Checking %System% folder...
    WSUD 11/17/2006 5:40:46 AM 18804736 C:\WINDOWS\SYSTEM32\alsndmgr.cpl (Realtek Semiconductor Corp.)
    UPX! 2/1/2007 8:45:00 PM 118804 C:\WINDOWS\SYSTEM32\cvratihk.dll ()
    aspack 11/20/2006 3:50:38 AM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
    aspack 11/20/2006 3:50:40 AM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
    aspack 11/20/2006 3:50:42 AM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll (Microsoft Corporation)
    aspack 11/20/2006 3:50:44 AM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll (Microsoft Corporation)
    aspack 11/20/2006 3:50:46 AM 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll (Microsoft Corporation)
    aspack 11/20/2006 3:50:48 AM 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll (Microsoft Corporation)
    aspack 11/20/2006 3:50:50 AM 2414360 C:\WINDOWS\SYSTEM32\d3dx9_31.dll (Microsoft Corporation)
    PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
    UPX! 2/1/2007 8:44:54 PM 44165 C:\WINDOWS\SYSTEM32\jgxufptl.dll ()
    PECompact2 1/2/2007 3:19:46 PM 10980776 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
    aspack 1/2/2007 3:19:46 PM 10980776 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
    WSUD 8/3/2004 6:56:56 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
    aspack 8/3/2004 6:56:38 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
    WSUD 8/3/2004 6:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
    Umonitor 8/3/2004 6:56:46 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
    UPX! 2/2/2007 5:28:44 PM 118804 C:\WINDOWS\SYSTEM32\rdrgsdrb.dll ()
    UPX! 2/2/2007 5:28:54 PM 44165 C:\WINDOWS\SYSTEM32\rlhwbpmn.dll ()
    winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
    UPX! 2/1/2007 8:44:18 PM 76412 C:\WINDOWS\SYSTEM32\xwxtegye.dll ()
    UPX! 1/24/2007 10:05:18 PM HS 22541 C:\WINDOWS\SYSTEM32\yayaxxv.dll ()

    Checking %System%\Drivers folder and sub-folders...
    UPX! 1/24/2007 8:10:30 PM 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
    FSG! 1/24/2007 8:10:30 PM 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
    PEC2 1/24/2007 8:10:30 PM 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
    aspack 1/24/2007 8:10:30 PM 816672 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

    Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    2/3/2007 2:29:36 AM S 2048 C:\WINDOWS\bootstat.dat ()
    1/24/2007 8:37:12 PM H 54156 C:\WINDOWS\QTFont.qfn ()
    1/15/2007 12:08:36 AM RH 749 C:\WINDOWS\WindowsShell.Manifest ()
    1/25/2007 11:52:06 PM S 64 C:\WINDOWS\CSC\00000001 ()
    1/25/2007 4:38:52 PM S 64 C:\WINDOWS\CSC\00000002 ()
    1/25/2007 3:52:38 PM S 64 C:\WINDOWS\CSC\csc1.tmp ()
    1/15/2007 12:08:54 AM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()
    1/15/2007 12:11:02 AM HS 67 C:\WINDOWS\Fonts\desktop.ini ()
    1/15/2007 12:31:14 AM H 0 C:\WINDOWS\inf\oem1.inf ()
    1/15/2007 12:08:56 AM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()
    1/15/2007 12:10:00 AM RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab ()
    1/15/2007 12:10:00 AM RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab ()
    1/15/2007 12:10:00 AM RHS 244933 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab ()
    1/15/2007 12:12:36 AM H 245760 C:\WINDOWS\repair\ntuser.dat ()
    2/2/2007 5:28:46 PM HS 346 C:\WINDOWS\system32\brdsgrdr.ini ()
    1/15/2007 12:08:36 AM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest ()
    1/24/2007 10:11:14 PM HS 346 C:\WINDOWS\system32\emdiydgd.ini ()
    2/1/2007 8:45:06 PM HS 346 C:\WINDOWS\system32\khitarvc.ini ()
    1/15/2007 12:08:54 AM RH 488 C:\WINDOWS\system32\logonui.exe.manifest ()
    1/15/2007 12:08:36 AM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest ()
    2/2/2007 5:28:42 PM HS 998215 C:\WINDOWS\system32\nqtwa.bak1 ()
    2/3/2007 2:41:08 AM HS 1004635 C:\WINDOWS\system32\nqtwa.ini ()
    1/15/2007 12:08:36 AM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest ()
    1/15/2007 12:08:36 AM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest ()
    1/15/2007 12:08:54 AM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest ()
    1/15/2007 12:08:36 AM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest ()
    1/24/2007 10:05:18 PM HS 22541 C:\WINDOWS\system32\yayaxxv.dll ()
    12/7/2006 8:30:20 PM S 9057 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB923689.cat ()
    12/19/2006 2:09:32 PM S 8847 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB929969.cat ()
    1/12/2007 4:36:48 AM S 496683 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem2.CAT ()
    2/3/2007 2:29:26 AM H 8192 C:\WINDOWS\system32\config\default.LOG ()
    2/3/2007 2:29:58 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
    2/3/2007 2:29:40 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG ()
    2/3/2007 2:41:10 AM H 1024 C:\WINDOWS\system32\config\software.LOG ()
    2/3/2007 2:30:16 AM H 1024 C:\WINDOWS\system32\config\system.LOG ()
    1/14/2007 6:47:44 PM H 1024 C:\WINDOWS\system32\config\TempKey.LOG ()
    1/14/2007 6:47:48 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG ()
    1/15/2007 12:42:18 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
    1/14/2007 6:53:20 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()
    1/15/2007 12:31:22 AM S 1039 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\CFC456E7E410D69E2C6F3E2DB75C7DB3 ()
    1/19/2007 10:20:36 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 ()
    1/15/2007 12:31:22 AM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\CFC456E7E410D69E2C6F3E2DB75C7DB3 ()
    1/19/2007 10:20:36 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 ()
    1/14/2007 6:53:20 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()
    1/15/2007 12:21:06 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()
    1/15/2007 12:21:06 AM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()
    1/15/2007 12:21:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()
    1/15/2007 12:21:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()
    1/15/2007 12:21:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\11PECYU3\desktop.ini ()
    1/15/2007 12:21:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N6NIY84V\desktop.ini ()
    1/15/2007 12:21:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VNMEUJ2H\desktop.ini ()
    1/15/2007 12:21:06 AM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y1O7YZGX\desktop.ini ()
    1/15/2007 12:09:02 AM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()
    1/14/2007 6:53:20 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()
    1/15/2007 12:12:30 AM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()
    1/15/2007 12:12:28 AM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()
    1/15/2007 12:12:28 AM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()
    1/15/2007 12:12:28 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()
    1/15/2007 12:12:28 AM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()
    1/15/2007 12:21:20 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\88240734-ed10-418a-9980-14874de3565e ()
    1/15/2007 12:21:20 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
    2/3/2007 2:28:36 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()

    Checking for CPL files...
    8/3/2004 6:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
    11/17/2006 5:40:46 AM 18804736 C:\WINDOWS\SYSTEM32\alsndmgr.cpl (Realtek Semiconductor Corp.)
    8/3/2004 6:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
    11/20/2006 3:57:38 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
    11/20/2006 3:48:46 AM 80896 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
    11/20/2006 3:48:54 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
    11/20/2006 3:57:38 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
    11/20/2006 3:49:06 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
    11/20/2006 3:50:22 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
    11/20/2006 3:48:46 AM 80896 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
    11/20/2006 3:48:54 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
    11/20/2006 3:49:06 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
    8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
    8/3/2004 6:56:58 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl (Microsoft Corporation)
    11/20/2006 3:50:22 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
     
  10. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    Checking for Downloaded Program Files...
    {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    1/15/2007 12:39:58 AM 1757 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
    1/15/2007 12:12:28 AM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    1/14/2007 6:53:20 PM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini ()

    Checking files in %USERPROFILE%\Startup folder...
    1/15/2007 12:12:28 AM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ()

    Checking files in %USERPROFILE%\Application Data folder...
    1/14/2007 6:53:20 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini ()

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    >>> Internet Explorer Settings <<<


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
    \\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    \\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    \\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    \\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    \\Local Page - %SystemRoot%\system32\blank.htm

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    \\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    \\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

    >>> BHO's <<<
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    \{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    \{2385658A-9748-E432-CD2B-01EF30D1E839} - = C:\WINDOWS\system32\mktlpgh.dll ()
    \{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Yahoo! IE Services Button = C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    \{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - = C:\WINDOWS\system32\rlhwbpmn.dll ()
    \{CCD54327-47E5-47DB-935C-C7C9DBBC1391} - = C:\WINDOWS\system32\awtqn.dll ()

    >>> Internet Explorer Bars, Toolbars and Extensions <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    \{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    \{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    \ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    \{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - ButtonText: Yahoo! Services =

    >>> Approved Shell Extensions (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    \\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
    \\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
    \\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
    \\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
    \\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
    \\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
    \\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
    \\{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.6 Context Menu Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH)
    \\{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.6 DragDrop Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH)
    \\{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.6 Context Menu Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH)
    \\{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} - WinAce Archiver 2.6 Property Sheet Shell Extension = C:\Program Files\WinAce\arcext.dll (e-merge GmbH)
    \\{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
    \\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)
    \\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    >>> Context Menu Handlers (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
    \AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
    \AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)
    \Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
    \ZFAdd - {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll (e-merge GmbH)

    [HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

    [HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
    \AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
    \ZFAdd - {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll (e-merge GmbH)

    [HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

    [HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
    \AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll (GRISOFT, s.r.o.)

    >>> Column Handlers (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    \{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

    >>> Registry Run Keys <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    QuickTime Task - C:\Program Files\QuickTime\qttask.exe ()
    ExploreUpdSched - C:\WINDOWS\system32\kwinmoea.exe ()
    SoundMan - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    KernelFaultCheck - ()

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    >>> Startup Links <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini ()

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini ()

    >>> MSConfig Disabled Items <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Dot.LAFFO1999^Start Menu^Programs^Startup^Think-Adz.lnk
    path C:\Documents and Settings\Dot.LAFFO1999\Start Menu\Programs\Startup\Think-Adz.lnk
    backup C:\WINDOWS\pss\Think-Adz.lnkStartup
    location Startup
    command C:\WINDOWS\system32\kwinmoea.exe OLI001
    item Think-Adz

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 2


    [All Users Startup Folder Disabled Items]

    [Current User Startup Folder Disabled Items]

    >>> User Agent Post Platform <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    \\SV1 -

    >>> AppInit Dll's <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

    >>> Image File Execution Options <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    \Your Image File Name Here without a path - Debugger = ntsd -d

    >>> Shell Service Object Delay Load <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    \\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
    \\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
    \\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
    \\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

    >>> Shell Execute Hooks <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    \\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
    \\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

    >>> Shared Task Scheduler <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    \\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
    \\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

    >>> Winlogon <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    \\UserInit = C:\WINDOWS\system32\userinit.exe,
    \\Shell = Explorer.exe
    \\System =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
    \awtqn - C:\WINDOWS\system32\awtqn.dll = ()
    \crypt32chain - crypt32.dll = (Microsoft Corporation)
    \cryptnet - cryptnet.dll = (Microsoft Corporation)
    \cscdll - cscdll.dll = (Microsoft Corporation)
    \ScCertProp - wlnotify.dll = (Microsoft Corporation)
    \Schedule - wlnotify.dll = (Microsoft Corporation)
    \sclgntfy - sclgntfy.dll = (Microsoft Corporation)
    \SensLogn - WlNotify.dll = (Microsoft Corporation)
    \termsrv - wlnotify.dll = (Microsoft Corporation)
    \wlballoon - wlnotify.dll = (Microsoft Corporation)

    >>> DNS Name Servers <<<
    {59350B63-05E1-4009-B136-CE1648C11A55} - (1394 Net Adapter)
    {96A4BEC8-8F92-4FEC-80CD-C89C6AA54EB4} - (Motorola SURFboard SB5120 USB Cable Modem)

    >>> All Winsock2 Catalogs <<<
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
    \000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
    \000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
    \000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
    \000000000004\\LibraryPath - %SystemRoot%\System32\nwprovau.dll (Microsoft Corporation)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
    \000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
    \000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
    \000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
    \000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

    >>> Protocol Handlers (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
    \msdaipp - ()

    >>> Protocol Filters (Non-Microsoft Only) <<<
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

    >>> Selected AddOn's <<<

    >>>>Output for AddOn file Policies.def<<<<
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
    policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
    policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
    policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
    policies\system\\dontdisplaylastusername - 0
    policies\system\\legalnoticecaption -
    policies\system\\legalnoticetext -
    policies\system\\shutdownwithoutlogon - 1
    policies\system\\undockwithoutlogon - 1

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
    policies\Explorer\\NoDriveTypeAutoRun - 145
    policies\System\\DisableRegistryTools - 0

    >>>>Output for AddOn file Security.def<<<<
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    Security Center\\FirstRunDisabled - 1
    Security Center\\AntiVirusDisableNotify - 0
    Security Center\\FirewallDisableNotify - 0
    Security Center\\UpdatesDisableNotify - 0
    Security Center\\AntiVirusOverride - 1
    Security Center\\FirewallOverride - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
    BITS\\Type - 32
    BITS\\Start - 3
    BITS\\ErrorControl - 1
    BITS\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
    BITS\\DisplayName - Background Intelligent Transfer Service
    BITS\\DependOnService - RpcSs;
    BITS\\DependOnGroup -
    BITS\\ObjectName - LocalSystem
    BITS\\Description - Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
    BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00
    BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
    BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
    BITS\Enum\\0 - Root\LEGACY_BITS\0000
    BITS\Enum\\Count - 1
    BITS\Enum\\NextInstance - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
    SharedAccess\\DependOnGroup -
    SharedAccess\\DependOnService - Netman;WinMgmt;
    SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
    SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
    SharedAccess\\ErrorControl - 1
    SharedAccess\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
    SharedAccess\\ObjectName - LocalSystem
    SharedAccess\\Start - 2
    SharedAccess\\Type - 32
    SharedAccess\Epoch\\Epoch - 310
    SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10280:UDP - 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10281:UDP - 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10282:UDP - 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10283:UDP - 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10284:UDP - 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\10243:TCP - 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 0
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe - %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Dot.LAFFO1999\Desktop\utorrent.exe - C:\Documents and Settings\Dot.LAFFO1999\Desktop\utorrent.exe:*:Enabled:µTorrent
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe - C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avginet.exe - C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgamsvr.exe - C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgcc.exe - C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgemc.exe - C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10280:UDP - 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10281:UDP - 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10282:UDP - 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10283:UDP - 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10284:UDP - 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\10243:TCP - 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
    SharedAccess\Setup\\ServiceUpgrade - 1
    SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All - 1
    SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
    SharedAccess\Enum\\Count - 1
    SharedAccess\Enum\\NextInstance - 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    wuauserv\\Type - 32
    wuauserv\\Start - 2
    wuauserv\\ErrorControl - 1
    wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
    wuauserv\\DisplayName - Automatic Updates
    wuauserv\\ObjectName - LocalSystem
    wuauserv\\Description - Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
    wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
    wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
    wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
    wuauserv\Enum\\Count - 1
    wuauserv\Enum\\NextInstance - 1


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
     
  11. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    Logfile of HijackThis v1.99.1
    Scan saved at 3:06:25 AM, on 2/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Dot.LAFFO1999\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinmoea.exe OLI001
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinmoea.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
    O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - -C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.


    Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinmoea.exe OLI001

    Reboot and post another Hijack This log please.
     
  13. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\dgjydach

    *******************

    Script file located at: \??\C:\Program Files\ywsvgvnc.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\system32\awtqn.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\cvratihk.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\jgxufptl.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\rdrgsdrb.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\rlhwbpmn.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\xwxtegye.dll deleted successfully.
    File C:\WINDOWS\SYSTEM32\yayaxxv.dll deleted successfully.
    File C:\WINDOWS\system32\brdsgrdr.ini deleted successfully.
    File C:\WINDOWS\system32\emdiydgd.ini deleted successfully.
    File C:\WINDOWS\system32\khitarvc.ini deleted successfully.
    File C:\WINDOWS\system32\nqtwa.bak1 deleted successfully.
    File C:\WINDOWS\system32\nqtwa.ini deleted successfully.
    File C:\WINDOWS\system32\mktlpgh.dll deleted successfully.
    File C:\WINDOWS\system32\kwinmoea.exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.


    Logfile of HijackThis v1.99.1
    Scan saved at 3:11:30 PM, on 2/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Documents and Settings\Dot.LAFFO1999\Desktop\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - -C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

    kwinmoea.exe does seem to be gone now, and the ads that were coming with it. If that's it for this issue, do you know what I can do about clearing the option for me to go to Windows XP Setup on start up? It's remaining from when I tried to reinstall earlier, but since it never finished due to the apparent missing file, it's still lingering on there.

    Thanks for all the help so far. I'd never heard of the Vundo or Avenger programs.

    As you can see, I also removed the old AVG to get rid of the "file missing" issues related to that as well as the Yahoo crap.
     
  14. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O20 - Winlogon Notify: awtqn - C:\WINDOWS\system32\awtqn.dll (file missing)

    Reboot.

    What file is missing from Setup?
     
  15. KtuluCJ77

    KtuluCJ77 Thread Starter

    Joined:
    Jan 2, 2004
    Messages:
    61
    ajd9kxxc.sys is the missing Setup file.

    I already got the awtqn.dll out, noticed after I posted. After a few reboots it still no longer shows up so I think it's fine.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/540062

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice