Gladiator Security Forum > Please Help! Spy Pop-Ups while surfing

Full Version: Please Help! Spy Pop-Ups while surfing

Gladiator Security Forum > Security Information and Discussion > HELP! Think you are Infected?

fabian

Dec 5 2004, 02:46 AM

I've also noticed my recycle bin is kinda dead. I deleted something and it does not show up in the recycle bin, kinda mysterious. dont know what that would mean. Appreciate any help! Thanks! willing to call you if you can help...PM ur phone number....

Logfile of HijackThis v1.98.2
Scan saved at 9:32:43 PM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\CommuniGatePro\CGStarter.exe
C:\WINNT\CommuniGatePro\CGServer.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\hpoipm07.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\explorer.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HadithQudsi] C:\Program Files\DivineIslam\Hadith Qudsi 1.0\HadithQudsi.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpywareKilla] "C:\Program Files\SpywareKilla\SpywareKilla.exe" /s
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O12 - Plugin for .hiv: C:\WINNT\Downloaded Program Files\nphijkjv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Finance MarketTracker - http://finance.yahoo.com/jmt/mt.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?1_compaq&true
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.CAB
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamg.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/05f5e2eb4eeda18aae01/netzip/RdxIE.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097782091742
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/...ll/MFImgVwr.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSweb/msrdp.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.com/plugin/win/ie/printQuick.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

Files Found---

Additional Files---
C:\WINNT\System32\spOrder.dll

Keys Under Notify---AdminDebug
Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---wlballoon

Guardian Key--- is called:

User Agent String---
{F5236793-603A-4E52-842E-A51574DF02BC}

fabian

Dec 5 2004, 02:48 AM

Logfile of Browser Hijack Recover(BHR) v1.01
http://www.browser-hijack.com/hijack/
Log created on 12/4/2004 9:07:20 PM
Microsoft Windows XP Professional Service Pack 1 (Build 2600)
Internet Explorer v6.0.2800.1106 Update Versions: ;SP1;Q832894;Q330994;

[Process Manager] - [Process]
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\CommuniGatePro\CGStarter.exe
C:\WINNT\CommuniGatePro\CGServer.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\hpoipm07.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Program Files\Browser Hijack Recover\bhr.exe

[Process Manager] - [NT Services]

[IE Options]
[IE Options] - [Normal]
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main,Window Title =

[IE Options] - [IE Menu]
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserSaveAs = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoFileNew = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserClose = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoFileOpen = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoTheaterMode = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoViewSource = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBandCustomize = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoToolbarCustomize = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoFavorites = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoAddingChannels = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserOptions = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoBrowserContextMenu = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoOpeninNewWnd = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoSplash = 0
O6 - HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions, NoJITSetup = 0

[IE Options] - [Internet Options]
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, GeneralTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, HomePage = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Cache = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, History = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Colors = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, links = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Fonts = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Languages = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Accessibility = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, SecurityTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, ContentTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Ratings = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Certificates = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, FormSuggest = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, FormSuggest Passwords = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Profiles = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, ConnectionsTab = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, DialupAutodetect = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, EnableAutoProxyResultCache = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Connection Settings = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Connwiz Admin Lock = 0
O6 - HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel, Proxy = 0

[IE Options] - [IE Search Hooks]

[IE Add-Ons] - [Toolbars]
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

[IE Add-Ons] - [Explorer Bars]
O9 - Extra "View" Explorer Bars: Search Band - {30D02401-6A81-11D0-8274-00C04FD5AE38} - C:\WINNT\System32\browseui.dll
O9 - Extra "View" Explorer Bars: Media Band - {32683183-48a0-441b-a342-7c2a440a9478} - C:\WINNT\System32\browseui.dll
O9 - Extra "View" Explorer Bars: (No Name) - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (No File)
O9 - Extra "View" Explorer Bars: File Search Explorer Band - {C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - C:\WINNT\system32\SHELL32.dll
O9 - Extra "View" Explorer Bars: Favorites Band - {EFA24E61-B078-11D0-89E4-00C04FC9E26E} - C:\WINNT\System32\shdocvw.dll
O9 - Extra "View" Explorer Bars: Explorer Band - {EFA24E64-B078-11D0-89E4-00C04FC9E26E} - C:\WINNT\System32\shdocvw.dll

[IE Add-Ons] - [Context Menu]

[IE Add-Ons] - [BHOs]
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll

[IE Add-Ons] - [Tools Menu]
O9 - Extra "Tool" Menu Item: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

[IE Add-Ons] - [Tools Button]
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

[System Options]

[AutoLoad]
04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run msnmsgr = C:\Program Files\MSN Messenger\msnmsgr.exe" /background
04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SpywareKilla = C:\Program Files\SpywareKilla\SpywareKilla.exe" /s
04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
04 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Synchronization Manager = mobsync.exe /logon
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HadithQudsi = C:\Program Files\DivineIslam\Hadith Qudsi 1.0\HadithQudsi.exe
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run KernelFaultCheck = C:\WINNT\system32\dumprep 0 -k
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run msnappau = C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run QuickTime Task = C:\Program Files\QuickTime\qttask.exe" -atboottime
04 - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run gcasServ = C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
O4 - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\AcroTray.exe
O4 - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk = C:\PROGRA~1\EXIFLA~1\QuickDCF.exe
O4 - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp psc 900 series) - 1.lnk = C:\PROGRA~1\HEWLET~1\AiO\HPPSC9~1\Bin\hpobrt07.exe
O4 - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LimeWire 4.0.8.lnk = C:\PROGRA~1\LimeWire\LIMEWI~1.8\LimeWire.exe
O4 - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\PROGRA~1\MICROS~2\Office\OSA9.EXE
O4 - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Phone Connection Monitor.lnk = C:\PROGRA~1\SONYER~1\Mobile\AUDEVI~1.EXE

Bobbi Flekman

Dec 5 2004, 02:11 PM

Hi fabian,

Download LSPfix here: www.cexx.org/lspfix.htm
Start the application, and click the "I know what I'm doing" checkbox.
Check all instances of aklsp.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish and reboot.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com

SpywareKilla is on Spyware Warrior's Rogue List. Uninstall this program!

O4 - HKCU\..\Run: [SpywareKilla] "C:\Program Files\SpywareKilla\SpywareKilla.exe" /s

You are using LimeWire. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use "Add/Remove Program" to remove it and any reference to LimeWire.
This is another article: http://www.cexx.org/adware.htm

If you are going to uninstall this program, also check this item:

O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe

O12 - Plugin for .hiv: C:\WINNT\Downloaded Program Files\nphijkjv.dll

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamg.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/05f5e2eb4eeda18aae01/netzip/RdxIE.cab

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the following files in red (it could be that they are deleted already):

C:\WINNT\about.htm
C:\WINNT\Downloaded Program Files\nphijkjv.dll

Delete the following folders in red (it could be that they are deleted already):

C:\Program Files\SpywareKilla
if you uninstalled LimeWire C:\Program Files\LimeWire

Restart your computer.

Sign off and stay off the internet until the entire procedure is complete.

Run vx2finder.
Press "Click to Find VX2.BetterInternet"
Select all the files found
Press "Delete These Files"

The program will delete all files.

Once deleted:
a. Press "User Agent$"
b. Press "Restore Desktop"
c. Press "Import Reg"

Then...
Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

user posted image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL's
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

3. Click on the Advanced button on the left and select:
* Include additional process information
* Include additional file information
* Include environment information

4. Click the Tweak button and select:
* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
* Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

8. Save the log file when it asks and then click Finish

9. When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

10.Reboot your computer.

Run HiJackThis again and post a new log in this thread.

fabian

Dec 6 2004, 03:36 AM

I appreciate your help! thank you very much.
I've uninstalled limewire but i could not locate spywarekilla.exe

when i rebooted in safe mode i couldnt find to delete the files you told me in red.

vx2finder generated nothing to delete.

adware deleted a couple of stuff. unfortunately problems still persist.....

when i launch IE, what follows is the opening of another browser looking for what i was looking for........

see logs below.....

Logfile of HijackThis v1.98.2
Scan saved at 10:28:31 PM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\CommuniGatePro\CGStarter.exe
C:\WINNT\CommuniGatePro\CGServer.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HadithQudsi] C:\Program Files\DivineIslam\Hadith Qudsi 1.0\HadithQudsi.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Finance MarketTracker - http://finance.yahoo.com/jmt/mt.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...l?1_compaq&true
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097782091742
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/...ll/MFImgVwr.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://ra.camh.net/QSTSweb/msrdp.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.com/plugin/win/ie/printQuick.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, December 05, 2004 4:36:30 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R21 03.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):17 total references
Redirected hostfile entry(TAC index:4):3 total references
Tracking Cookie(TAC index:3):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R21 03.12.2004
Internal build : 26
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 407954 Bytes
Total size : 1292266 Bytes
Signature data size : 1262795 Bytes
Reference data size : 28959 Bytes
Signatures total : 35914
Fingerprints total : 577
Fingerprints size : 21902 Bytes
Target categories : 15
Target families : 625

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:12 %
Total physical memory:261664 kb
Available physical memory:30232 kb
Total page file size:633568 kb
Available on page file:404376 kb
Total virtual memory:2097024 kb
Available virtual memory:2046664 kb
OS:Microsoft Windows XP Professional Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

12-5-2004 4:36:30 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 356
ThreadCreationTime : 12-5-2004 9:25:42 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 428
ThreadCreationTime : 12-5-2004 9:25:47 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 472
ThreadCreationTime : 12-5-2004 9:25:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 484
ThreadCreationTime : 12-5-2004 9:25:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 644
ThreadCreationTime : 12-5-2004 9:25:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 668
ThreadCreationTime : 12-5-2004 9:25:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 896
ThreadCreationTime : 12-5-2004 9:25:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 936
ThreadCreationTime : 12-5-2004 9:25:51 PM
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:9 [nisum.exe]
FilePath : C:\Program Files\Norton Internet Security\
ProcessID : 960
ThreadCreationTime : 12-5-2004 9:25:52 PM
BasePriority : Normal
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NISUM.exe

#:10 [ccpxysvc.exe]
FilePath : C:\Program Files\Norton Internet Security\
ProcessID : 1104
ThreadCreationTime : 12-5-2004 9:25:56 PM
BasePriority : Normal
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccPxySvc.exe

#:11 [cisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1124
ThreadCreationTime : 12-5-2004 9:25:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:12 [cgstarter.exe]
FilePath : C:\WINNT\CommuniGatePro\
ProcessID : 1152
ThreadCreationTime : 12-5-2004 9:25:56 PM
BasePriority : Normal

#:13 [crypserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1164
ThreadCreationTime : 12-5-2004 9:25:56 PM
BasePriority : High
FileVersion : 5.4.0
ProductVersion : 5.4
ProductName : CrypKey Software Licensing System
CompanyName : Kenonic Controls Ltd.
FileDescription : CrypKey NT Service
InternalName : crypserv
LegalCopyright : Copyright © 2000
LegalTrademarks : CrypKey
OriginalFilename : crypserv.exe
Comments : Operates in all directories, not just configured ones. Directory configuration only used for fille clean up and uninstall. 0/3 fixed problem with other partitions. 0/6 fixed problem with short paths

#:14 [cgserver.exe]
FilePath : C:\WINNT\CommuniGatePro\
ProcessID : 1168
ThreadCreationTime : 12-5-2004 9:25:56 PM
BasePriority : Normal

#:15 [inetinfo.exe]
FilePath : C:\WINNT\System32\inetsrv\
ProcessID : 1216
ThreadCreationTime : 12-5-2004 9:25:57 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Internet Information Services
CompanyName : Microsoft Corporation
FileDescription : Internet Information Services
InternalName : INETINFO.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : INETINFO.EXE

#:16 [persfw.exe]
FilePath : C:\Program Files\Tiny Personal Firewall\
ProcessID : 1280
ThreadCreationTime : 12-5-2004 9:25:57 PM
BasePriority : Normal
FileVersion : 2, 0, 15, 0
ProductVersion : 2, 0, 15, 0
ProductName : Tiny Personal Firewall
CompanyName : Tiny Software
FileDescription : Tiny Personal Firewall Engine
InternalName : PERSFW
LegalCopyright : Copyright © 2001
OriginalFilename : PERSFW.exe

#:17 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1392
ThreadCreationTime : 12-5-2004 9:25:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [rundll32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1496
ThreadCreationTime : 12-5-2004 9:26:00 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:19 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1984
ThreadCreationTime : 12-5-2004 9:26:05 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:20 [evntsvc.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1828
ThreadCreationTime : 12-5-2004 9:26:10 PM
BasePriority : Normal
FileVersion : 0.1.0.880
ProductVersion : 0.1.0.880
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : evntsvc.EXE

#:21 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1428
ThreadCreationTime : 12-5-2004 9:26:11 PM
BasePriority : Normal
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
LegalCopyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:22 [msnappau.exe]
FilePath : C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\
ProcessID : 1972
ThreadCreationTime : 12-5-2004 9:26:11 PM
BasePriority : Normal

#:23 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1980
ThreadCreationTime : 12-5-2004 9:26:11 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:24 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 2056
ThreadCreationTime : 12-5-2004 9:26:12 PM
BasePriority : Normal
FileVersion : 6.2.0137
ProductVersion : Version 6.2
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:25 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\
ProcessID : 2128
ThreadCreationTime : 12-5-2004 9:26:14 PM
BasePriority : Normal
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright © 2001
OriginalFilename : AcroTray.exe

#:26 [quickdcf.exe]
FilePath : C:\Program Files\Exif Launcher\
ProcessID : 2144
ThreadCreationTime : 12-5-2004 9:26:14 PM
BasePriority : Normal
FileVersion : 1, 1. 0. 2
ProductVersion : 1, 1, 0, 0
ProductName : FinePixViewer
CompanyName : FUJI PHOTO FILM CO., LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
LegalCopyright : Copyright 2000-2001 FUJI PHOTO FILM CO.,LTD.
OriginalFilename : QuickDCF.exe

#:27 [hpobrt07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\
ProcessID : 2164
ThreadCreationTime : 12-5-2004 9:26:14 PM
BasePriority : Normal
FileVersion : 2.00
ProductVersion : A.14.02.18
ProductName : hp psc 900 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOBRT07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOBRT07.EXE
Comments : HP OfficeJet PSC 7 Series COM Device Objects

#:28 [audevicemgr.exe]
FilePath : C:\Program Files\Sony Ericsson\Mobile\
ProcessID : 2192
ThreadCreationTime : 12-5-2004 9:26:15 PM
BasePriority : Normal
FileVersion : 1, 0, 11, 1
ProductVersion : 1, 0, 11, 1
ProductName : Phone Connection Monitor
CompanyName : Teleca Software Solutions AB
FileDescription : Phone Connection Monitor application
InternalName : Device Manager
LegalCopyright : Copyright © 2002 Teleca Software Solutions AB
OriginalFilename : audevicemgr.exe

#:29 [devldr32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 2236
ThreadCreationTime : 12-5-2004 9:26:17 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright © Creative Technology Ltd. 1998-2001
OriginalFilename : DevLdr32.exe

#:30 [connmn~1.exe]
FilePath : C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\
ProcessID : 2456
ThreadCreationTime : 12-5-2004 9:26:20 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 1
ProductName : Symbian Connect
CompanyName : Symbian Ltd.
FileDescription : ConnMngmntBox Module
InternalName : ConnMngmntBox
LegalCopyright : Copyright © Symbian Ltd. 2001
OriginalFilename : ConnMngmntBox.EXE

#:31 [mrouterruntime.exe]
FilePath : c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\
ProcessID : 2544
ThreadCreationTime : 12-5-2004 9:26:21 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 344
ProductVersion : 2, 0, 0, 1
ProductName : Symbian Connect
CompanyName : Symbian Ltd.
FileDescription : mRouterRuntime MFC Application
InternalName : mRouterRuntime
LegalCopyright : Copyright © Symbian Ltd. 2001
LegalTrademarks : EPOC
OriginalFilename : mRouterRuntime.EXE

#:32 [capman.exe]
FilePath : C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\
ProcessID : 2760
ThreadCreationTime : 12-5-2004 9:26:30 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 1
ProductName : Symbian Connect
CompanyName : Symbian Ltd.
FileDescription : CapMan Module
InternalName : CapMan
LegalCopyright : Copyright © Symbian Ltd. 2001
OriginalFilename : CapMan.EXE

#:33 [elogerr.exe]
FilePath : C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\
ProcessID : 2776
ThreadCreationTime : 12-5-2004 9:26:30 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 1
ProductName : Symbian Connect
CompanyName : Symbian Ltd.
FileDescription : logerr MFC Application
InternalName : logerr
LegalCopyright : Copyright © Symbian Ltd. 2001
LegalTrademarks : EPOC
OriginalFilename : logerr.EXE

#:34 [hpoevm07.exe]
FilePath : C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\
ProcessID : 2820
ThreadCreationTime : 12-5-2004 9:26:32 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.02.18
ProductName : hp psc 900 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOEVM07.EXE
Comments : HP OfficeJet COM Event Manager

#:35 [broadc~1.exe]
FilePath : C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\
ProcessID : 2864
ThreadCreationTime : 12-5-2004 9:26:33 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 1
ProductName : Symbian Connect
CompanyName : Symbian Ltd.
FileDescription : BroadcastProxy Module
InternalName : BroadcastProxy
LegalCopyright : Copyright © Symbian Ltd. 2001
OriginalFilename : BroadcastProxy.EXE

#:36 [scrfs.exe]
FilePath : C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\
ProcessID : 2944
ThreadCreationTime : 12-5-2004 9:26:35 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 1
ProductName : Symbian Connect
CompanyName : Symbian Ltd.
FileDescription : SCRFS Module
InternalName : SCRFS
LegalCopyright : Copyright © Symbian Ltd. 2001
OriginalFilename : SCRFS.EXE

#:37 [epmwor~1.exe]
FilePath : C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\
ProcessID : 2952
ThreadCreationTime : 12-5-2004 9:26:35 PM
BasePriority : Normal
FileVersion : 1, 2, 0,753
ProductVersion : 1,2,0,127
ProductName : CAPI_Worker Module
CompanyName : Teleca Software Solutions AB
FileDescription : CAPI_Worker Module
InternalName : CAPI_Worker
LegalCopyright : Copyright © 1999-2002 Teleca Software Solutions AB. All rights reserved.
OriginalFilename : EPMWorker.EXE

#:38 [hpoipm07.exe]
FilePath : C:\WINNT\System32\
ProcessID : 3060
ThreadCreationTime : 12-5-2004 9:26:37 PM
BasePriority : Normal
FileVersion : 4, 5, 0, 767
ProductVersion : 4, 5, 0, 767
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:39 [wuauclt.exe]
FilePath : C:\WINNT\System32\
ProcessID : 3096
ThreadCreationTime : 12-5-2004 9:26:50 PM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:40 [hposts07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\
ProcessID : 3192
ThreadCreationTime : 12-5-2004 9:27:03 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.02.18
ProductName : hp psc 900 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOCPY07.EXE
Comments : HP OfficeJet Status

#:41 [hpofxm07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\
ProcessID : 3200
ThreadCreationTime : 12-5-2004 9:27:03 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.02.18
ProductName : hp psc 900 series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet G Series Fax Manager
InternalName : HPOFXM07
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOFXM07.EXE
Comments : HP OfficeJet G Series Fax Manager

#:42 [wuauclt.exe]
FilePath : C:\WINNT\System32\
ProcessID : 3352
ThreadCreationTime : 12-5-2004 9:27:14 PM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:43 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3940
ThreadCreationTime : 12-5-2004 9:31:34 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:44 [cidaemon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 4084
ThreadCreationTime : 12-5-2004 9:33:32 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : S-1-5-21-1343024091-492894223-839522115-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

MRU List Object Recognized!
Location: : C:\Documents and Settings\TEMP\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\TEMP\recent
Description : list of recently opened documents

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : muhammed@mediaplex[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:muhammed@mediaplex.com/
Expires : 6-21-2009 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : muhammed@tribalfusion[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:muhammed@tribalfusion.com/
Expires : 12-31-2037 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : muhammed@doubleclick[2].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:muhammed@doubleclick.net/
Expires : 12-5-2004 4:48:58 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : muhammed@atdmt[2].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:muhammed@atdmt.com/
Expires : 12-3-2009 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 21

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21

Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch

Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
876 entries scanned.
New critical objects:3
Objects found so far: 24

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24

4:52:01 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:15:30.938
Objects scanned:162209
Objects identified:7
Objects ignored:0
New critical objects:7

Bobbi Flekman

Dec 6 2004, 11:18 AM

Hi fabian,

QUOTE

when i launch IE, what follows is the opening of another browser looking for what i was looking for........

Unfortunately this is a new piece of malware that we are currently working on to fix. I'm not completely sure what to do with this information, but be assured a lot of people are looking into this problem including your thread. So I'm a kind of intermediary.

Set hidden files showing. How do I show hidden files?

Open Windows Explorer, navigate to the folder "c:\Windows\System32". From the "View" menu, choose "Arrange icons by" and "Date modified". Find the file "Guard.tmp". Check its properties for the date of creation, and report that back to me. Check for .dll files that are near "Guard.tmp". Check their properties for a matching date and report them as well.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it on your Desktop.

CODE

regedit /e Notify.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"

Locate Export.bat on your Desktop and double-click on it. This will create a file on your desktop named Notify.reg. Attach this to a new post.

fabian

Dec 6 2004, 08:24 PM

Thanks for your efforts, you're awesome!

I couldnt locate the file guard.tmp anywhere

Today the virus installed shortcut links onto my desktop to online dating, online -- Look for another playground --, auction sites....

Also any idea how to get my recycle bin back? Anything i deleted cannot be recovered...my recycle bin has died.......

fabian

Dec 6 2004, 08:35 PM

i took a screenshot of the place you told me to search...
im sure u can see those nasty .exe programs sitting there........

Bobbi Flekman

Dec 7 2004, 12:56 PM

It seems that we have a solution. Can you download and extract the attached zip file. There is a batch file in it named Find.bat. This will create a log, please post it.

fabian

Dec 7 2004, 05:23 PM

Thanks for not giving up on me....you're the best!

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Local Disk
Volume Serial Number is E0F5-0EE9

Directory of C:\WINNT\System32

12/07/2004 03:35 AM 225,441 dnpq0175e.dll
12/06/2004 07:50 PM 224,857 g0402ahmgd4a2.dll
12/05/2004 10:25 PM 224,857 idgcmn.dll
12/05/2004 04:16 PM 224,857 lwfax11n.dll
12/05/2004 04:14 PM 222,940 lvlu0939e.dll
12/05/2004 12:37 AM 223,232 irp6l57s1.dll
12/04/2004 07:50 PM <DIR> dllcache
12/04/2004 02:16 AM 223,600 l86o0ij3e8o.dll
10/14/2003 08:52 PM 32 {627A2D6C-EEF2-4D7D-A352-A7160385A63C}.dat
8 File(s) 1,569,816 bytes
1 Dir(s) 1,182,060,544 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Local Disk
Volume Serial Number is E0F5-0EE9

Directory of C:\WINNT\System32

12/04/2004 07:50 PM <DIR> dllcache
05/19/2004 11:04 AM 5,944 log0.txt
05/19/2004 11:04 AM 5,893 log.bak.txt
10/14/2003 08:52 PM 32 {627A2D6C-EEF2-4D7D-A352-A7160385A63C}.dat
05/18/2003 11:43 PM 488 logonui.exe.manifest
05/18/2003 11:43 PM 488 WindowsLogon.manifest
05/18/2003 11:43 PM 749 wuaucpl.cpl.manifest
05/18/2003 11:43 PM 749 cdplayer.exe.manifest
05/18/2003 11:43 PM 749 ncpa.cpl.manifest
05/18/2003 11:43 PM 749 nwc.cpl.manifest
05/18/2003 11:43 PM 749 sapi.cpl.manifest
03/24/2002 12:47 PM 530 ws785863.ocx
03/03/2002 11:46 PM <DIR> GroupPolicy
03/03/2002 11:37 PM 271 kjwall.gif
03/03/2002 11:37 PM 21,692 folder.htt
13 File(s) 39,083 bytes
2 Dir(s) 1,182,052,352 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Local Disk
Volume Serial Number is E0F5-0EE9

Directory of C:\WINNT\System32

12/07/2004 12:10 PM 224,857 guard.tmp
1 File(s) 224,857 bytes
0 Dir(s) 1,182,052,352 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Local Disk
Volume Serial Number is E0F5-0EE9

Directory of C:\WINNT\System32

12/07/2004 12:10 PM 224,857 guard.tmp
12/07/1999 07:00 AM 2,577 CONFIG.TMP
2 File(s) 227,434 bytes
0 Dir(s) 1,182,052,352 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F5236793-603A-4E52-842E-A51574DF02BC}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINNT\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\g0402ahmgd4a2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------

Bobbi Flekman

Dec 7 2004, 06:00 PM

Hi fabian,

Can you zip the files in red for me:

C:\WINNT\System32\guard.tmp
C:\WINNT\System32\dnpq0175e.dll
C:\WINNT\System32\g0402ahmgd4a2.dll
C:\WINNT\System32\idgcmn.dll
C:\WINNT\System32\lwfax11n.dll
C:\WINNT\System32\lvlu0939e.dll
C:\WINNT\System32\irp6l57s1.dll
C:\WINNT\System32\l86o0ij3e8o.dll

Send the zip file to my email address.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINNT\System32\guard.tmp and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot, Process & Reboot now?", answer "No". Do the same for the these files:

C:\WINNT\System32\dnpq0175e.dll
C:\WINNT\System32\g0402ahmgd4a2.dll
C:\WINNT\System32\idgcmn.dll
C:\WINNT\System32\lwfax11n.dll
C:\WINNT\System32\lvlu0939e.dll
C:\WINNT\System32\irp6l57s1.dll
C:\WINNT\System32\l86o0ij3e8o.dll

after the last one click the button and answer "Yes". Let Killbox do it's work.

fabian

Dec 7 2004, 06:04 PM

i cant find guard.tmp.....looking for the others

Bobbi Flekman

Dec 7 2004, 06:12 PM

QUOTE (fabian @ Dec 7 2004, 07:04 PM)

i cant find guard.tmp.....looking for the others

Let Killbox handle it! Just copy the line and paste it into Killbox.

fabian

Dec 7 2004, 07:22 PM

ok done....then?

fabian

Dec 7 2004, 07:53 PM

Logfile of HijackThis v1.98.2
Scan saved at 2:47:28 PM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\CommuniGatePro\CGStarter.exe
C:\WINNT\CommuniGatePro\CGServer.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cidaemon.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Finance MarketTracker - http://finance.yahoo.com/jmt/mt.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097782091742
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - https://endor.erin.utoronto.ca/cgi-bin/nav/...nst/webinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

Bobbi Flekman

Dec 8 2004, 11:16 AM

Can you also post a log from Find.bat.

fabian

Dec 9 2004, 06:36 AM

Root Registry key Modified String value File/path reference
HKEY_CURRENT_USER Software\DivXNetworks\DivX4Windows 12/5/2004 3:55:22 AM Log File Name c:\divx.log
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\DivXNetworks\DivX4Windows 12/5/2004 3:55:22 AM Log File Name c:\divx.log
HKEY_LOCAL_MACHINE Software\Classes\CLSID\{A2C251C6-B016-11D4-A00B-0050DA18DE71}\InprocServer32 5/19/2003 3:48:31 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Inf42.dll
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{7AF322C5-AB43-11D4-A00B-0050DA18DE71}\1.0\0\win32 5/19/2003 3:48:56 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Inf42.dll
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{0F8F0848-74BE-474C-B804-880BBCA71501}\2.0\HELPDIR 5/19/2003 3:48:56 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{0F8F0848-74BE-474C-B804-880BBCA71501}\2.0\0\win32 5/19/2003 3:48:56 AM C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Word8.0\MSForms.exd
HKEY_LOCAL_MACHINE Software\Classes\Installer\Products\C78D6251559ABAF4FB8196B74A753E25\SourceList\Net 12/7/2004 3:53:48 AM 1 C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\EXITEM~1.1_E\
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C78D6251559ABAF4FB8196B74A753E25\InstallProperties 12/7/2004 3:53:48 AM InstallSource C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\EXITEM~1.1_E\
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Uninstall\{1526D87C-A955-4FAB-BF18-697BA457E352} 12/7/2004 3:53:48 AM InstallSource C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\LIVEUP~1\DOWNLO~1\EXITEM~1.1_E\
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.UserAgent 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\fatima\LOCALS~1\Temp\RGI371.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\ConnectionConfiguration 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\fatima\LOCALS~1\Temp\RGI372.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\fatima\LOCALS~1\Temp\RGI373.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.BrowseUI 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\fatima\LOCALS~1\Temp\RGI376.tmp
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{E4787289-4B33-4D21-9413-7C555AA876C5}\2.0\HELPDIR 5/19/2003 3:48:55 AM C:\DOCUME~1\fatima\LOCALS~1\Temp\Word8.0
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{E4787289-4B33-4D21-9413-7C555AA876C5}\2.0\0\win32 5/19/2003 3:48:55 AM C:\DOCUME~1\fatima\LOCALS~1\Temp\Word8.0\MSForms.exd
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE6SETUP 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\IXP000.TMP\IESetup.inf
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\mshtml.DllReg 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI11.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IEContentAdvisor.Assoc 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI12.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.Comctl32 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI2.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE.HKLMZoneInfo 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI3B.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\MSIEFTP 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI3D.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.Controls 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI7.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.Assoc 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI8.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.Browser 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGI9.tmp
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\IE40.Shell 5/19/2003 3:48:57 AM InstallINFFile C:\DOCUME~1\muhammed\LOCALS~1\Temp\RGIB.tmp
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{A17B2E2D-1F9A-46DF-9617-0480F2D19303}\2.0\HELPDIR 5/19/2003 3:48:55 AM C:\DOCUME~1\muhammed\LOCALS~1\Temp\Word8.0
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{A17B2E2D-1F9A-46DF-9617-0480F2D19303}\2.0\0\win32 5/19/2003 3:48:55 AM C:\DOCUME~1\muhammed\LOCALS~1\Temp\Word8.0\MSForms.exd
HKEY_CURRENT_USER Software\Yahoo\Insthelper 9/4/2004 2:30:19 AM bkgnd1 C:\DOCUME~1\TEMP\LOCALS~1\Temp\bill_1.bmp
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\Yahoo\Insthelper 9/4/2004 2:30:19 AM bkgnd1 C:\DOCUME~1\TEMP\LOCALS~1\Temp\bill_1.bmp
HKEY_CURRENT_USER Software\Yahoo\Insthelper 9/4/2004 2:30:19 AM bkgnd2 C:\DOCUME~1\TEMP\LOCALS~1\Temp\bill_2.bmp
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\Yahoo\Insthelper 9/4/2004 2:30:19 AM bkgnd2 C:\DOCUME~1\TEMP\LOCALS~1\Temp\bill_2.bmp
HKEY_CURRENT_USER Software\Yahoo\Insthelper 9/4/2004 2:30:19 AM bkgnd3 C:\DOCUME~1\TEMP\LOCALS~1\Temp\bill_3.bmp
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\Yahoo\Insthelper 9/4/2004 2:30:19 AM bkgnd3 C:\DOCUME~1\TEMP\LOCALS~1\Temp\bill_3.bmp
HKEY_LOCAL_MACHINE Software\Classes\Installer\Products\C838BEBA7A1AD5C47B1EB83441061073\SourceList\Net 6/16/2004 6:04:25 PM 1 C:\DOCUME~1\TEMP\LOCALS~1\Temp\IXP000.TMP\
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C838BEBA7A1AD5C47B1EB83441061073\InstallProperties 6/16/2004 6:03:39 PM InstallSource C:\DOCUME~1\TEMP\LOCALS~1\Temp\IXP000.TMP\
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Uninstall\{ABEB838C-A1A7-4C5D-B7E1-8B4314600137} 6/16/2004 6:03:39 PM InstallSource C:\DOCUME~1\TEMP\LOCALS~1\Temp\IXP000.TMP\
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\oeupdate 2/16/2004 10:55:19 PM InstallINFFile C:\DOCUME~1\TEMP\LOCALS~1\Temp\IXP000.TMP\Q330994.inf
HKEY_LOCAL_MACHINE Software\Microsoft\Advanced INF Setup\ieupdate 2/16/2004 10:54:14 PM InstallINFFile C:\DOCUME~1\TEMP\LOCALS~1\Temp\IXP000.TMP\Q832894.inf
HKEY_LOCAL_MACHINE Software\Classes\Software\RealNetworks\Preferences\LastTempFile 6/4/2004 8:01:14 PM C:\DOCUME~1\TEMP\LOCALS~1\Temp\RN1C2.htm
HKEY_CURRENT_USER Software\Microsoft\MediaPlayer\Setup\FileMoveCache\Source 8/20/2004 10:32:50 PM 0 C:\DOCUME~1\TEMP\LOCALS~1\Temp\setb0.tmp
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\Microsoft\MediaPlayer\Setup\FileMoveCache\Source 8/20/2004 10:32:50 PM 0 C:\DOCUME~1\TEMP\LOCALS~1\Temp\setb0.tmp
HKEY_CURRENT_USER Software\Microsoft\MediaPlayer\Setup\FileMoveCache\Source 8/20/2004 10:32:50 PM 1 C:\DOCUME~1\TEMP\LOCALS~1\Temp\setb1.tmp
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\Microsoft\MediaPlayer\Setup\FileMoveCache\Source 8/20/2004 10:32:50 PM 1 C:\DOCUME~1\TEMP\LOCALS~1\Temp\setb1.tmp
HKEY_LOCAL_MACHINE Software\Classes\Installer\Products\497CA84818B8A04418EA464733D75B72\SourceList\Net 12/7/2004 12:46:14 AM 1 C:\DOCUME~1\TEMP\LOCALS~1\Temp\SYMWINST\SCS\webinst\
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\497CA84818B8A04418EA464733D75B72\InstallProperties 12/7/2004 12:46:02 AM InstallSource C:\DOCUME~1\TEMP\LOCALS~1\Temp\SYMWINST\SCS\webinst\
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Uninstall\{848AC794-8B81-440A-81AE-6474337DB527} 12/7/2004 12:46:02 AM InstallSource C:\DOCUME~1\TEMP\LOCALS~1\Temp\SYMWINST\SCS\webinst\
HKEY_CURRENT_USER Software\Microsoft\FrontPage 10/27/2004 3:19:01 AM WecErrorLog C:\DOCUME~1\TEMP\LOCALS~1\Temp\wecerr.txt
HKEY_USERS S-1-5-21-1343024091-492894223-839522115-1000\Software\Microsoft\FrontPage 10/27/2004 3:19:01 AM WecErrorLog C:\DOCUME~1\TEMP\LOCALS~1\Temp\wecerr.txt
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{6ABF8175-C0FB-44CC-AAB6-DCCF990ADD55}\2.0\HELPDIR 9/26/2003 2:17:22 AM C:\DOCUME~1\TEMP\LOCALS~1\Temp\Word8.0
HKEY_LOCAL_MACHINE Software\Classes\TypeLib\{6ABF8175-C0FB-44CC-AAB6-DCCF990ADD55}\2.0\0\win32 9/26/2003 2:17:22 AM C:\DOCUME~1\TEMP\LOCALS~1\Temp\Word8.0\MSForms.exd
HKEY_LOCAL_MACHINE Software\ODBC\ODBC.INI\quaFDFdemo 5/19/2003 3:48:25 AM DBQ C:\INETPUB\quafdfdemo\quaFDFdemo.mdb <