1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: I need my HJT log looked at please!

Discussion in 'Virus & Other Malware Removal' started by Polly1016, Jan 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    Hi Everyone,

    I'm sure I have something wrong. Dr. Watson's Post Mortem????? The only thing that I've downloaded lately is the Newest version of Spybot S&D, BelArc Advisor and PC Internet Patrol (7 day free trial).

    I noticed that something popped up quickly in this new "PC Internet Patrol" and said something about Dr.Watsons Post Mortem???? I could be wrong but isn't this connected to Acebot or another trojan???

    I never had that program. I'm including a fresh HJT log and I notice that something has changed in my O20 Win Logon. I am assuming it's the PC Internet thing but should it be in the logon? Also, I can't delete the setup.exe for BelArc advisor that's on my desktop because it says it's in use. I'd appreciated your thoughts!

    Oh, I switched to Firefox and Thunderbird last week but other than that nothing should be new. The only thing I've noticed with Firefox is that I'm getting a lot of those message about Microsoft has discovered an error and must shut down. Send report or not.

    Yikes!!!!!:eek:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:58:35 PM, on 1/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Internet Security Alliance\pcInternet Patrol\ipatrol.exe
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\spupdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\spnpinst.exe
    C:\WINDOWS\system32\Sysocmgr.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Password Manager\AcctMgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Documents and Settings\Mary Ann\Desktop\advisor.exe
    C:\Documents and Settings\Mary Ann\Desktop\advisor.exe
    C:\Documents and Settings\Mary Ann\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [PCIP] C:\Program Files\Internet Security Alliance\pcInternet Patrol\ipatrol.exe
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123643428406
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O20 - Winlogon Notify: IsaLogon - C:\WINDOWS\system32\pcip\ippspw.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: pcInternet Patrol - Internet Security Alliance, INC - C:\Program Files\Internet Security Alliance\pcInternet Patrol\ipatrol.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  2. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    Okay, this has been a scary couple of hours since I posted my HJT log. I ran SpySweeper and it found nothing. Then I ran Ewido (log attached) and it found nothing. I uninstalled BelArc Advisor and PC Internet Patrol. (I uninstalled them using their own uninstall feature). Just when Internet Patrol was finishing it's uninstall, Ewido popped up with this message.
    [​IMG].

    I clicked OK and then it rebooted. When I got back to my desktop it said that I had no network connectivity because I had not configured a network!!!! Huh???? My modem was fine and I couldn't figure it out. After trying this and that I rebooted into safe mode and did a system restore. Now I have my network configuration again and can get back online.

    I'm enclosing my Ewido scan log (which was before all this network configuration stuff happened) and a fresh HJT log since I uninstalled those programs. I don't think I want anything to do with PC Internet Patrol. It may be a good program but I was doing better without it! (n)

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 11:27:40 PM, 1/23/2006
    + Report-Checksum: AC8BE594

    + Scan result:

    No infected objects found.


    ::Report End


    Here's my latest HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:00:25 AM, on 1/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\spupdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\spnpinst.exe
    C:\WINDOWS\system32\Sysocmgr.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Password Manager\AcctMgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\stickies\stickies.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mary Ann\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123643428406
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22.com/view22/app/view22rte.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
  3. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
  4. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    Well, I went ahead and did a few things on my own while awaiting some advice. I scanned with Panda Activescan and this is the result:

    Incident Location Status

    Adware:adware/fastlook Not disinfected Windows Registry
    Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Mary Ann\Desktop\Security\VundoFix\VundoFix\process.exe
    Potentially unwanted tool:Application/PcAudit Not disinfected C:\Documents and Settings\Mary Ann\Local Settings\Application Data\Mozilla\Firefox\Profiles\zzxehe3y.default\Cache(2)\6E9C3D13d01


    Also, according to Panda the pcInternet Patrol that I was using as a 7 day trial was actually spyware!!!

    This is what Panda had to say about it:

    At a glance Tech details Prevention & cure

    Common name: pcAudit

    Technical name: Spyware/pcAudit

    Threat level: Low

    Alias: PCinetpatrol

    Type: Spyware

    Effects:

    It attempts to send certain information to a server, in order to check if the computer is vulnerable.

    Affected platforms:

    Windows 2003/XP/2000/NT/ME/98/95

    Detection updated on: Nov. 30, 2004

    In circulation? No

    Country of origin: UNITED STATES OF AMERICA

    Brief Description

    pcAudit is a spyware program, which is developed by a private company in order to test the security level in a computer. It simulates the attack by a hacker, and attempts to send data to a server. If pcAudit is successful, it supposedly means that the computer is vulnerable to hacker attacks.

    However, it is important to consider which data is sent to the server and the potential threat, as it travels across the Internet on the clear, and the user does not exactly know how it will be used: name of the computer, IP address, files and folders within the My Documents directory, screenshots, keystrokes, e-mail address, etc.

    If there is an Internet connection available, the test is always successful, which would mean that the computer is vulnerable.
    *****************************************************************

    I also found all kinds of new Google Programs that had been pinned to my start menu. Google Desktop, Google Map, Google Popup blocker, etc. I never installed any of those.

    I deleted them by doing a search and pulling up all of the google things it found and deleted them. I'm sure that wasn't the best way to get rid of them but they don't show up anywhere else.

    My 'puter seems slower than it was a couple of days ago and I'm getting several of those warnings that say ...Such and such has encountered an error and will need to shut down...send or don't send report!

    I've got problems!!!!!!!!!!!!:eek:
     
  5. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
  6. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    My computer is operating very slowly now! Please help... something isn't right and I'm suspicious I picked up something bad!
     
  7. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Microsoft AntiSpyware must be disable before any fix, as it will interfere:

    Open Microsoft AntiSpyware.

    Click on Tools, Settings. In the left pane, click on Real-time Protection.
    Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).

    Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).

    After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
    Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

    Run Msconfig. Select the startup tab and deselect gcasServ. Click Ok and restart the computer when prompted.

    That will disable MS Antipyware and you can proceed with the fix. After the fix, then this should be reversed.

    As I understand, you uninstalled Ewido and PC Internet Patrol, if not, remove then from your Installed programs.

    Download Cleanup from Here:

    http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

    * A window will open and choose SAVE, then DESKTOP as the destination.
    * On your Desktop, click on Cleanup40.exe icon.
    * Then, click RUN and place a checkmark beside "I Agree"
    * Then click NEXT followed by START and OK.
    * A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    * Click OK

    Boot in Safe Mode.

    * Run Cleanup:

    * Click on the "Cleanup" button and let it run.
    * Once its done, close the program.

    Restart.

    I see you have Spysweeper in your computer. Perform a Scan with Spysweeper and save the session log.

    Click the Sweep Options tab.

    Under What to Sweep please put a check next to the following:

    * Sweep Memory
    * Sweep Registry
    * Sweep Cookies
    * Sweep All User Accounts
    * Enable Direct Disk Sweeping
    * Sweep Contents of Compressed Files
    * Sweep for Rootkits

    Please UNCHECK Do not Sweep System Restore Folder.

    Click Sweep Now on the left side.

    Click the Start button.

    When it's done scanning, click the Next button.

    Make sure everything has a check next to it, then click the Next button.

    It will remove all of the items found.

    Click Session Log in the upper right corner, copy everything in that window.

    Click the Summary tab and click Finish.

    Post the contents of the session log as well as a fresh Hijackthis.
     
  8. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    Thank you, JS!

    No, I didn't uninstall Ewido. I uninstalled the 2 things that I had installed that day... Bel Arc Advisor and PC Internet Patrol.

    I will be back after I follow your instructions.

    Thank You!(y)
     
  9. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    Hi JS!

    I followed all of your instructions. Disabled MS Spyware, ran CleanUp, and booted to Safe Mode to run Webroot Spysweeper. Unfortunately, Spysweeper didn't find anthing. I'm even more concerned today because some of saved documents in MY DOCUMENTS are missing.

    I still think a lot of the problems that I've outlined at the beginning of this thread had to do with the D/L of that pc Internet Patrol. :confused:

    Here's the Spysweeper log: Thanks!

    ********
    2:23 PM: | Start of Session, Wednesday, January 25, 2006 |
    2:23 PM: Spy Sweeper started
    2:23 PM: Sweep initiated using definitions version 605
    2:23 PM: Starting Memory Sweep
    2:24 PM: Memory Sweep Complete, Elapsed Time: 00:01:04
    2:24 PM: Starting Registry Sweep
    2:24 PM: Registry Sweep Complete, Elapsed Time:00:00:14
    2:24 PM: Starting Cookie Sweep
    2:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    2:24 PM: Starting File Sweep
    2:46 PM: File Sweep Complete, Elapsed Time: 00:21:41
    2:46 PM: Full Sweep has completed. Elapsed time 00:23:07
    2:46 PM: Traces Found: 0
    ********
    2:19 PM: | Start of Session, Wednesday, January 25, 2006 |
    2:19 PM: Spy Sweeper started
    2:19 PM: Sweep initiated using definitions version 605
    2:19 PM: Starting Memory Sweep
    2:20 PM: Sweep Canceled
    2:23 PM: Program Version 4.5.8 (Build 683) Using Spyware Definitions 605
    2:23 PM: | End of Session, Wednesday, January 25, 2006 |
    ********
     
  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Download WinPFind

    http://www.bleepingcomputer.com/files/winpfind.php

    Right Click the Zip Folder and Select "Extract All"
    Extract it somewhere you will remember like the Desktop
    Dont do anything with it yet!

    Reboot into Safe Mode

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    Click "Start Scan"
    It will scan the entire System, so please be patient!
    Once the Scan is Complete
    Reboot back to Normal Mode!
    Go to the WinPFind folder
    Locate WinPFind.txt
    Place those results in a reply! Post another Hijackthis log.
     
  11. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    JSntgRvr...

    I'll be back later tonight to run WinPFind. Thanks, again!(y)
     
  12. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    I ran WinPFind and it's very long. I'm including it as an attachement. If it shouldn't be in an attachment, perhaps you will post it.

    This is my HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:33:26 PM, on 1/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\spupdsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\spnpinst.exe
    C:\WINDOWS\system32\Sysocmgr.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Password Manager\AcctMgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\stickies\stickies.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Mary Ann\My Documents\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123643428406
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv1.view22.com/view22/app/view22rte.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
    O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     

    Attached Files:

  13. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    For better viewing:

    WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

    If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

    »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
    Internet Explorer Version: 6.0.2900.2180

    »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

    Checking %SystemDrive% folder...

    Checking %ProgramFilesDir% folder...
    UPX! 9/8/2005 12:11:28 PM 36959004 C:\Program Files\NIS05ENG.exe
    FSG! 9/8/2005 12:11:28 PM 36959004 C:\Program Files\NIS05ENG.exe

    Checking %WinDir% folder...

    Checking %System% folder...
    UPX! 3/10/2005 10:48:10 AM 269312 C:\WINDOWS\SYSTEM32\devil.dll
    PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
    PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
    PECompact2 1/4/2006 10:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 1/4/2006 10:41:02 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
    aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
    Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
    winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

    Checking %System%\Drivers folder and sub-folders...
    PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

    Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS


    Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
    1/25/2006 8:17:28 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
    1/4/2006 12:45:26 AM H 21783 C:\WINDOWS\SYSTEM32\FFASTLOG.TXT
    1/7/2006 1:00:46 AM HS 8704 C:\WINDOWS\SYSTEM32\Thumbs.db
    11/30/2005 11:17:10 PM S 21633 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
    12/1/2005 7:12:48 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
    1/2/2006 6:09:36 PM S 11223 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
    1/25/2006 8:17:18 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
    1/25/2006 8:17:46 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
    1/25/2006 8:17:32 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
    1/25/2006 8:17:50 PM H 69632 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
    1/25/2006 8:17:42 PM H 1232896 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
    1/10/2006 2:07:32 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
    1/7/2006 3:40:32 PM S 1047 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
    1/7/2006 3:40:32 PM S 1370 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
    1/7/2006 3:40:32 PM S 126 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
    1/7/2006 3:40:32 PM S 194 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
    1/12/2006 2:59:40 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\95fec0a1-f7e1-4633-99e1-9e2e9ddeb634
    1/12/2006 2:59:40 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
    12/6/2005 1:38:02 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\918feef9-39d7-41b0-b9cc-f721ccdf50e2
    12/6/2005 1:38:02 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
    1/25/2006 8:16:24 PM H 6 C:\WINDOWS\Tasks\SA.DAT

    Checking for CPL files...
    Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
    Creative Technology Ltd. 3/30/2001 2:00:00 AM 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
    Creative Technology Ltd. 2/21/2002 1:00:00 AM 212992 C:\WINDOWS\SYSTEM32\CTDevCtrl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
    8/18/1997 11:00:00 PM 22528 C:\WINDOWS\SYSTEM32\FINDFAST.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
    Intel(R) Corporation 3/11/2003 4:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
    Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
    12/29/2002 1:14:38 AM 81920 C:\WINDOWS\SYSTEM32\Startup.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
    Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
    Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
    Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
    Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
    Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl
    NVIDIA Corporation 10/6/2003 1:16:00 PM 73728 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\nvtuicpl.cpl

    »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

    Checking files in %ALLUSERSPROFILE%\Startup folder...
    9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
    9/10/2003 1:27:12 AM 567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

    Checking files in %ALLUSERSPROFILE%\Application Data folder...
    9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

    Checking files in %USERPROFILE%\Startup folder...
    9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\Mary Ann\Start Menu\Programs\Startup\DESKTOP.INI
    1/13/2006 10:06:00 PM 696 C:\Documents and Settings\Mary Ann\Start Menu\Programs\Startup\Stickies.lnk

    Checking files in %USERPROFILE%\Application Data folder...
    11/8/2005 11:42:54 AM 881 C:\Documents and Settings\Mary Ann\Application Data\AdobeDLM.log
    9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\Mary Ann\Application Data\DESKTOP.INI
    11/8/2005 11:42:54 AM 0 C:\Documents and Settings\Mary Ann\Application Data\dm.ini
    4/8/2004 6:14:28 AM 12358 C:\Documents and Settings\Mary Ann\Application Data\PFP110JCM.{PB
    4/8/2004 6:14:28 AM 61678 C:\Documents and Settings\Mary Ann\Application Data\PFP110JPR.{PB

    »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1 =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
    {5464D816-CF16-4784-B9F3-75C0DB52B499} =
    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
    {7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
    = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
    CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
    CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
    Real.com = C:\WINDOWS\System32\Shdocvw.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    MenuText = Sun Java Console :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    ButtonText = Real.com :

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
    Search Band = %SystemRoot%\System32\browseui.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\System32\shdocvw.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} = :
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} = :
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    {40D41A8B-D79B-43D7-99A7-9EE0F344C385} = :
    {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Norton Internet Security : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    URLLSTCK.exe C:\Program Files\Norton Internet Security\UrlLstCk.exe
    Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    AcctMgr C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
    SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gcasServ
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item gcasServ
    hkey HKLM
    command "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    inimapping 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini 0
    win.ini 0
    bootini 0
    services 0
    startup 2


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

    NoDriveTypeAutoRun _
    NoCDBurning 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption
    legalnoticetext
    shutdownwithoutlogon 1
    undockwithoutlogon 1


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun ‘
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    disableregistrytools 0
    disabletaskmgr 0


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} =
    PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} =
    WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    Shell = Explorer.exe
    System =

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs


    »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
    Scan completed on 1/25/2006 8:26:57 PM
     
  14. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
  15. Polly1016

    Polly1016 Thread Starter

    Joined:
    Nov 17, 2005
    Messages:
    232
    Yes, it certainly does!!

    Results:

    Service load:
    0% 100%
    File: devil.dll
    Status:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

    MD5 8df4d4324e5755f1a0567db3c5be4c58
    Packers detected: UPX

    Scanner results

    AntiVir Found nothing
    ArcaVi Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    UNA Found nothing
    VBA32 Found nothing
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436720

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice