Help - Search - Members - Calendar
Full Version: Ceres and other returning viruses
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
gojogo
Jun 28 2005, 02:47 AM
hi there

I have the advised virus checkers and keep uninstalling ceres and other viruses manually but they keep coming back. Can you help? here's the hijack this log...

Logfile of HijackThis v1.99.1
Scan saved at 12:30:49 PM, on 6/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QFGNNV.EXE
C:\WINDOWS\SYSTEM\LIGHTS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonion.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Madasafish
R3 - URLSearchHook: ProtoHandler Class - {724F6607-4698-48F8-903F-120EA084E3F9} - C:\PROGRAM FILES\BROWSERENH\IE.DLL (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [qfgnnv] c:\windows\system\qfgnnv.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {8939CB6F-15AD-4ff2-9ECB-7312EDED5958} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...ubble_servicing
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab




Many thanks for your help.
LoPhatPhuud
Jun 28 2005, 04:07 AM
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R3 - URLSearchHook: ProtoHandler Class - {724F6607-4698-48F8-903F-120EA084E3F9} - C:\PROGRAM FILES\BROWSERENH\IE.DLL (file missing)\

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O4 - HKLM\..\Run: [qfgnnv] c:\windows\system\qfgnnv.exe

O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...ubble_servicing

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be located in C:\Windows\ or C:\Windows\System32\)
c:\windows\system\qfgnnv.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.
gojogo
Jun 29 2005, 10:23 AM
Thanks for the help. Here's the new log...

Logfile of HijackThis v1.99.1
Scan saved at 8:03:30 PM, on 6/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\HIJAKTHISTO\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonion.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Madasafish
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {8939CB6F-15AD-4ff2-9ECB-7312EDED5958} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab
gojogo
Jun 29 2005, 11:11 AM
Sorry here's the log again, now I've unchecked protected operating system files.

I've also just run Spybot and "Calling Home", "A Better Internet", "Holistyc", and

"Hotsearchbar" are coming up.

Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 8:55:37 PM, on 6/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\HIJAKTHISTO\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonion.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Madasafish
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {8939CB6F-15AD-4ff2-9ECB-7312EDED5958} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/cont...s/AvDetInst.cab
LoPhatPhuud
Jun 29 2005, 09:59 PM
Your log is clean.

Would you please post the SPybot S&D log so I can check the items you mentioned.
gojogo
Jun 30 2005, 02:54 AM
Here's the Spybot report...


Thanks once more.


--- Search result list ---
Cache: Cache (127) (Cache, nothing done)


AbetterInternet: <$DIR_TEMP> (Directory, nothing done)
C:\WINDOWS\Application Data\..\Temp\DrTemp\

ACDSee: Folders global history (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\ACD Systems\ACDSee\HistPaths

ACDSee: File history (Registry change, nothing done)
HKEY_USERS\.DEFAULT\SOFTWARE\ACD Systems\ACDSee32\LastFolder!=

ACDSee: Last folder (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\ACD Systems\ACDSee\LastFolder!=

ACDSee: Last opened folder (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\ACD Systems\ACDSee\OpenFolder!=

Adobe Acrobat Reader 4: Recent file #4 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Adobe\Acrobat Reader\4.0\AdobeViewer\avpRecentFile4!=

Adobe Acrobat Reader 4: Recent file #1 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Adobe\Acrobat Reader\4.0\AdobeViewer\avpRecentFile1!=

Adobe Acrobat Reader 4: Recent file #2 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Adobe\Acrobat Reader\4.0\AdobeViewer\avpRecentFile2!=

Adobe Acrobat Reader 4: Recent file #3 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Adobe\Acrobat Reader\4.0\AdobeViewer\avpRecentFile3!=

Adobe Acrobat Reader 5: Recent file #1 (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c1

CallingHome.biz: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\CeresDll.CeresDllObj.1

CallingHome.biz: Configuration file (File, nothing done)
C:\WINDOWS\inf\CERES.INF

CallingHome.biz: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\CeresDll.CeresDllObj

CallingHome.biz: Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Ceres\CSI4d3OfSInst

CallingHome.biz: Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Ceres\CSI4d3OfSDist

CallingHome.biz: Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Ceres\CSC4n3trMsgSDisp

Common Dialogs: History (276 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Cookie: Cookie (59) (Cookie, nothing done)


FlashGet: Search terms history (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\JetCar\JetCar\Find

FlashGet: Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\JetCar\JetCar\Recent File List

Google Toolbar: Recent search list (20 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Google\NavClient\1.1\History

Holistyc: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

HotsearchBar: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}

HotsearchBar: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}

HotsearchBar: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Ceres

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: Last used directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Save Directory!=

Internet Explorer: Typed URL list (3 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\TypedURLs

Log: Shutdown: System\wbem\logs\winmgmt.log (Backup file, nothing done)
C:\WINDOWS\System\wbem\logs\winmgmt.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Activity: Sti_Trace.log (Backup file, nothing done)
C:\WINDOWS\Sti_Trace.log

Log: IE: brndlog.txt (Backup file, nothing done)
C:\WINDOWS\brndlog.txt

Log: Install: Active Setup Log.txt (Backup file, nothing done)
C:\WINDOWS\Active Setup Log.txt

Log: Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System\wbem\logs\mofcomp.log

Log: Shutdown: System\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System\wbem\logs\wbemcore.log

Log: Shutdown: System\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System\wbem\logs\wbemess.log

Log: Shutdown: System\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System\wbem\logs\wbemprox.log

MS ClipArt Gallery 9.0: Used cliparts (3 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription

MS ClipArt Gallery 9.0: Last import directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\ClipArt Gallery\ImportDirectory!=

MS Direct3D: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS Frontpage: Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List

MS Frontpage: Recent page list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List

MS Frontpage: Recent web list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Media Player: Application data file (global) () (File, nothing done)
C:\WINDOWS\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

MS Media Player: Application data file (user) () (File, nothing done)
C:\WINDOWS\Application Data\Microsoft\Media Player\ActivePlaylist.dat

MS Media Player: Last CD record path (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath!=

MS Media Player: Last opened playlist (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: Last selected track index (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Media Player: Manually modified tags history (20 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\AutoComplete\MediaEdit

MS Media Player: Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: Recent open directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir!=

MS Office 9.0 (Excel): Recent files (4 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Excel\Recent Files

MS Office 9.0 (PowerPoint): Recent file list (9 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\PowerPoint\Recent File List

MS Office 9.0 (Script Editor): Most recent project list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\ProjectMRUList

MS Office 9.0 (Script Editor): Last loaded solution (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\LastLoadedSolution!=

MS Office 9.0 (Script Editor): Last new project item location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultNewProjItemLocation!=

MS Office 9.0 (Script Editor): Last new project location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultNewProjectLocation!=

MS Office 9.0 (Script Editor): Last opened file location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultFileOpenLocation!=

MS Office 9.0 (Script Editor): Last opened project item location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultOpenProjItemLocation!=

MS Office 9.0 (Script Editor): Last opened project location (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\DefaultOpenProjectLocation!=

MS Office 9.0 (Script Editor): Most recent menu list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MSE\9.0\MenuMRUList

MS Office 9.0 (Start Assistant): Last opened file directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Osa\FindFile\Place!=

MS Office 9.0 (Word): Recently used file list (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Word\Data\Settings

MS Office 9.0: Internet history (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Office\9.0\Common\Internet\LocationOfComponents

MS Office 9.0: Recently used files (92 files) (Directory, nothing done)
C:\WINDOWS\Application Data\Microsoft\Office\Recent\

MS Photo Editor: Recently used file type #4 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastType4

MS Photo Editor: Last used directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\File Options\Path!=

MS Photo Editor: Recently used file #1 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastFile1

MS Photo Editor: Recently used file #2 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastFile2

MS Photo Editor: Recently used file #3 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastFile3

MS Photo Editor: Recently used file #4 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastFile4

MS Photo Editor: Recently used file type #1 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastType1

MS Photo Editor: Recently used file type #2 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastType2

MS Photo Editor: Recently used file type #3 (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor\LastType3

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

MS Wordpad: Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

MusicMatch JukeBox: Last add song folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\MusicLibraryUI\Last add song dir!=

MusicMatch JukeBox: Last conversion destination folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\FileConv\DestDir!=

MusicMatch JukeBox: Last conversion source folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\FileConv\SourceDir!=

MusicMatch JukeBox: Setup download folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch\download!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent skins #1 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins1\!=

RealOne Player 2 (aka RealPlayer 6.0): Last login time (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime\!=

RealOne Player 2 (aka RealPlayer 6.0): Last open file directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #1 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips1\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #2 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips2\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #3 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips3\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #4 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips4\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #5 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips5\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #6 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips6\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #7 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips7\!=

RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #8 (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips8\!=

Virtual Dub: Recently file list (4 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Freeware\VirtualDub\MRU List

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Computer search history #2 (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ComputerNameMRU

Windows Explorer: File search history (25 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU

Windows Explorer: Last visited history (26 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Run history (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: Stream history (201 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: Text in files search history (25 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU

Windows Explorer: User Assistant history files (1854 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: User Assistant history IE (318 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Media SDK: Volume serial number (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName

Windows Media SDK: Unique ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}

Windows Network: Recent visited shared folder list (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\NetCrawl\Shares

Windows Network: Recent opened folder list (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Network\Recent

Windows.OpenWith: Open with list - .CUR extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUR\OpenWithList

Windows.OpenWith: Open with list - .ACE extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ACE\OpenWithList

Windows.OpenWith: Open with list - .AI extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList

Windows.OpenWith: Open with list - .AIS extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AIS\OpenWithList

Windows.OpenWith: Open with list - .ASF extension (6 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASF\OpenWithList

Windows.OpenWith: Open with list - .ASP extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASP\OpenWithList

Windows.OpenWith: Open with list - .ASX extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList

Windows.OpenWith: Open with list - .AU extension (4 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

Windows.OpenWith: Open with list - .AVI extension (11 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList

Windows.OpenWith: Open with list - .BAK extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAK\OpenWithList

Windows.OpenWith: Open with list - .BAT extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BAT\OpenWithList

Windows.OpenWith: Open with list - .BMP extension (9 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

Windows.OpenWith: Open with list - .BUP extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BUP\OpenWithList

Windows.OpenWith: Open with list - .CDA extension (5 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList

Windows.OpenWith: Open with list - .CIF extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CIF\OpenWithList

Windows.OpenWith: Open with list - .CIL extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CIL\OpenWithList

Windows.OpenWith: Open with list - .CNT extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CNT\OpenWithList

Windows.OpenWith: Open with list - .COM extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.COM\OpenWithList

Windows.OpenWith: Open with list - .CSS extension (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows.OpenWith: Open with list - .CSV extension (3 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList

Windows: Install locations (6 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\InstallLocationsMRU

WinRAR: Extraction directory history (3 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\WinRAR\DialogEditHistory\ExtrPath

WinRAR: Last used directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\WinRAR\General\LastFolder!=

WinRAR: Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\WinRAR\ArcHistory

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\directories\gzExtractTo!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\directories\gzAddDir!=

WinZip: Add files directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\directories\AddDir!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\directories\zDefDir!=

WinZip: Default directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\directories\DefDir!=

WinZip: Destination directory (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\directories\ExtractTo!=

WinZip: Number of times run (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\rrs\Opened!=

WinZip: Recent created file list (15 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\filemenu

WinZip: Recent extracted file list (10 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\extract

WinZip: Wizard Extraction folder history (2 files) (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\select


--- Spybot - Search && Destroy version: 1.3 ---
2005-04-26 Includes\Cookies.sbi
2005-06-23 Includes\Dialer.sbi
2005-06-23 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2005-06-23 Includes\Malware.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-15 Includes\Spybots.sbi
2005-06-21 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2004-11-29 Includes\LSP.sbi
2005-06-09 Includes\PUPS.sbi


--- System information ---
Windows ME (Build: 3000)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player: Windows Media Update 837272
/ Windows Media Player: Windows Media Update 885492
/ DirectX: DirectX Update 819696


--- Startup entries list ---
Located: HK_LM:Run, ashMaiSv
command: C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe

Located: HK_LM:Run, AtiCwd32
command: Aticwd32.exe

Located: HK_LM:Run, AtiPTA
command: Atiptaxx.exe

Located: HK_LM:Run, AtiQiPcl
command: AtiQiPcl.exe

Located: HK_LM:Run, CreateCD50
command: C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
file: C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE
size: 110592
MD5: 1cef58dc46ad2b8f33ea2165d342f5d5

Located: HK_LM:Run, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 208c3f7142c109f3055cb07c95af0f2e

Located: HK_LM:Run, PCHealth
command: C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
file: C:\WINDOWS\PCHealth\Support\PCHSchd.exe
size: 24848
MD5: 37556315e7dadd5ee414b5a438b7843d

Located: HK_LM:Run, QuickTime Task
command: "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
file: C:\WINDOWS\SYSTEM\QTTASK.EXE
size: 77824
MD5: a997e887c720e1a0472b11bd2c01a8e8

Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS\scanregw.exe /autorun
file: C:\WINDOWS\scanregw.exe
size: 126976
MD5: 548ae8c51870ec245dac589b9bf271fc

Located: HK_LM:Run, SxgTkBar
command: SxgTkBar.exe
file: C:\WINDOWS\SYSTEM\SxgTkBar.exe
size: 36864
MD5: fec95c66b19bc6dcc10c544fa72122e0

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\SYSTEM\SysTray.Exe
size: 36864
MD5: a29d4e875bc3ed7042a9159a89b597db

Located: HK_LM:Run, TaskMonitor
command: C:\WINDOWS\taskmon.exe
file: C:\WINDOWS\taskmon.exe
size: 28672
MD5: a23bca4b69ac68fd410b6afccb11af07

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: b8e684df9a97497edd2f87444a6307fb

Located: HK_LM:RunServices, *StateMgr
command: C:\WINDOWS\System\Restore\StateMgr.exe
file: C:\WINDOWS\System\Restore\StateMgr.exe
size: 24848
MD5: 02282c55dc8b1bf1ff1180c98d7337d6

Located: HK_LM:RunServices, ATIPOLAB
command:

Located: HK_LM:RunServices, KB891711
command: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
file: C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
size: 9088
MD5: cbd841775a04e82b2828fc301aafee70

Located: HK_LM:RunServices, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 208c3f7142c109f3055cb07c95af0f2e

Located: HK_LM:RunServices, Machine Debug Manager
command: C:\WINDOWS\SYSTEM\MDM.EXE
file: C:\WINDOWS\SYSTEM\MDM.EXE
size: 119400
MD5: 95d85d69ffc099c516d99cb9581e3fe2

Located: HK_LM:RunServices, SchedulingAgent
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 126976
MD5: 6770eaf1dfb8d3c952dca22cd956f570

Located: HK_LM:RunServices, StillImageMonitor
command: C:\WINDOWS\SYSTEM\STIMON.EXE
file: C:\WINDOWS\SYSTEM\STIMON.EXE
size: 28432
MD5: 902252f831d45763f7711b24ed430785

Located: HK_LM:Run, LoadQM (DISABLED)
command: loadqm.exe
file: C:\WINDOWS\loadqm.exe
size: 7536
MD5: 69d7217f9d7f49d6706baf90f52b472b

Located: HK_CU:Run, ATI Launchpad
command: "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
file: C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE
size: 77824
MD5: 960f335324bbe86a883a290721ae1443

Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87



--- Browser helper object list ---
{A5366673-E8CA-11D3-9CD9-0090271D075B} (IeCatch2 Class)
BHO name:
CLSID name: IeCatch2 Class
description: FlashGet
classification: Open for discussion
known filename: Jccatch.dll
info link: http://www.amazesoft.com/
info source: TonyKlein
Path: C:\PROGRAM FILES\FLASHGET\
Long name: Jccatch.dll
Short name: JCCATCH.DLL
Date (created): 6/17/2001 2:31:00 PM
Date (last access): 6/30/2005
Date (last write): 2/6/2001 12:20:52 PM
Filesize: 65536
Attributes: archive
MD5: 864407965DEE243A8372036176974A4A
CRC32: 75990F9B
Version: 0.1.0.1

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (MSNToolBandBHO)
BHO name:
CLSID name: MSNToolBandBHO
Path: C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\
Long name: msntb.dll
Short name: MSNTB.DLL
Date (created): 3/22/2005 10:36:32 AM
Date (last access): 6/30/2005
Date (last write): 8/13/2004 5:42:38 PM
Filesize: 282624
Attributes: archive
MD5: 0DEB8B7CAD01EE86D1C4062E1B587C5A
CRC32: E8C466A1
Version: 0.1.0.2

{9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
BHO name:
CLSID name: ST
Path: C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\
Long name: stmain.dll
Short name: STMAIN.DLL
Date (created): 5/27/2005 11:32:36 AM
Date (last access): 6/30/2005
Date (last write): 8/13/2004 5:42:00 PM
Filesize: 155648
Attributes: archive
MD5: 0DA1349495955CB41A5899047C5A1267
CRC32: C050EECD
Version: 0.1.0.2

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~2.DLL
Date (created): 1/21/2005 4:52:16 PM
Date (last access): 6/30/2005
Date (last write): 12/2/2004 1:59:36 PM
Filesize: 696320
Attributes: readonly archive
MD5: F172252EDB81E3A7B86B1B6B336D8B33
CRC32: 6A41CB28
Version: 0.2.0.0

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 1/28/2005 7:17:14 PM
Date (last access): 6/30/2005
Date (last write): 3/2/2001 12:02:04 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0

{4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuard Download Protection)
BHO name: SpywareGuard Download Protection
CLSID name: SpywareGuardDLBLOCK.CBrowserHelper
description: SpywareGuard download protection
classification: Legitimate
known filename: dlprotect.dll
info link: http://www.wilderssecurity.net/spywareguard.html
info source: TonyKlein
Path: C:\PROGRAM FILES\SPYWAREGUARD\
Long name: dlprotect.dll
Short name: DLPROT~1.DLL
Date (created): 8/2/2003 11:24:00 PM
Date (last access): 6/30/2005
Date (last write): 8/2/2003 11:24:02 PM
Filesize: 192512
Attributes: readonly archive
MD5: 964621E8B2415FEAA99026ED4F29D198
CRC32: DC8CF59D
Version: 0.2.0.2



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\MACROMED\FLASH\
Long name: FLASH.OCX
Short name:
Date (created): 6/9/2004 3:59:26 PM
Date (last access): 6/30/2005
Date (last write): 6/9/2004 3:59:26 PM
Filesize: 939224
Attributes:
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0

{00000055-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{D27CDB6E-AE6D-11CF-0000-000000000000} ()
DPF name:
CLSID name:

{A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
DPF name:
CLSID name: CRAVOnline Object
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: ravonline.dll
Short name: RAVONL~1.DLL
Date (created): 9/4/2003 3:00:22 PM
Date (last access): 6/30/2005
Date (last write): 9/4/2003 3:00:22 PM
Filesize: 200704
Attributes:
MD5: C8D24EB364FB71B810FAFB5222E55F1B
CRC32: 81A19FC7
Version: 0.1.0.1

{10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class)
DPF name:
CLSID name: DetInstaller Class
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: avdetinst.dll
Short name: AVDETI~1.DLL
Date (created): 9/10/2003 1:15:12 PM
Date (last access): 6/30/2005
Date (last write): 9/10/2003 1:15:12 PM
Filesize: 90112
Attributes:
MD5: 3BCCB0044A38F85836542313F392B659
CRC32: 6572BB0B
Version: 0.1.0.2



--- Process list ---
Spybot - Search && Destroy process list report, 6/30/2005 12:36:10 PM

PID: 4291787667 (2121222779) C:\WINDOWS\SYSTEM\KERNEL32.DLL
PID: 4294196979 (4294255359) C:\WINDOWS\SYSTEM\SPOOL32.EXE
PID: 4294255359 (4294345947) C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
PID: 4294537863 (4294607463) C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
PID: 4294551111 (4294881355) D:\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
PID: 4294580839 (4294735199) C:\WINDOWS\SYSTEM\PSTORES.EXE
PID: 4294607463 (4294881355) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
PID: 4294661919 (4294716551) C:\WINDOWS\SYSTEM\WMIEXE.EXE



C:\WINDOWS\SYSTEM\blank.htm
LoPhatPhuud
Jun 30 2005, 02:59 AM
THanks for the log,. I'll check it voer and post back tomorrow.

There was nothing critical in it, but there are a few items to clean up and I want to find the best and easist way to do it.
gojogo
Jun 30 2005, 04:34 AM
thanks a lot there.
LoPhatPhuud
Jun 30 2005, 07:53 PM
The Spybot log showed mostly MRU lists and other innocuous items. YOu can have Spybot fix them or leave them alone. There were also some registry entries left over from a prior infection. These will be removed.

First:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

CODE
REGEDIT4

[-HKEY_CLASSES_ROOT\CeresDll.CeresDllObj.1]

[-HKEY_CLASSES_ROOT\CeresDll.CeresDllObj]

[-HKEY_USERS\.DEFAULT\Software\Ceres]



Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Second:
Delete the following file:
C:\WINDOWS\inf\CERES.INF


That will leave your system clean. You may want to reset your System Recovery as well since the infecitons may be in there as well.

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows ME.......why?



One of the best features of Windows ME is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.



To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.



(Windows ME)

To disable System Restore:

1. Right-click My Computer, and then click Properties.

2. On the Performance tab, click File System, or press ALT+F.

3. On the Troubleshooting tab, click to select the Disable System Restore check box.

4. Click OK twice, and then click Yes when you are prompted to restart the computer.

5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.



How to Enable and Disable System Restore (Windows ME)

http://support.microsoft.com/default.aspx?...kb;en-us;264887
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.