I have used "hijack this" as well as bitfinder, panda, ccleaner, and search and destroy. Some of those were used in safe mode. I cannot get rid of the win32.qhost.df. Do i need to clear myrestore points? I really am a t a loss here.
I attached various logs that I did today. If more information is needed let me know. I am really an ameture at this and could have made mistakes.
I appreciate any help.
Logfile of HijackThis v1.99.1
Scan saved at 8:28:06 PM, on 10/31/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\services.exe
C:\Program Files\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\NAVRoam.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hjthis\analyse.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\emedia\zyx e mus 2\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmipc.exe] C:\WINDOWS\System32\dmipc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WinMedia] C:\361101032251719933.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6D89044-B51A-4FCA-9C14-7C63951AFE4A}: NameServer = 85.255.116.55,85.255.112.136
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NAVRoam - symantec - C:\PROGRA~1\NavNT\NAVRoam.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
Incident Status Location
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\eric\Cookies\eric@tribalfusion[2].txt
Adware:Adware/Naupoint Not disinfected C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll
Spyware:Cookie/PayCounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --List Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq164.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21D.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21E.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21F.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq231.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25C.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --List Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp
Spyware:Cookie/XXXCounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp
Spyware:Cookie/-- The nicest hobby on Earth ;) --tracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp
Spyware:Cookie/XXXCounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp
Virus:Trj/dmRandom.DX Disinfected C:\WINDOWS\system32\dmrcf.exe
****************************************************************************
* GetRunKeys.Bat - © 01/28/2006 By Chaslang *
* Beta only partially supports Win9x and ME *
* 10/27/2006 Version 1.50 beta *
* - Add flag for script mode install *
* - SuperHidden reg key values *
****************************************************************************
* Most of the information reported below is not necessarily bad. You must *
* not take any steps on any of these lines without consulting an expert. *
****************************************************************************
Windows OS is
Microsoft Windows XP [Version 5.1.2600]
It's Tue October 31, 2006 05:20:31 PM
******************************************************************************
ShowNew installation folder and files
"E:\GetRunKey\"
getrun~1.bat Oct 27 2006 45591 "GetRunKey.bat"
grep.exe Apr 14 2003 80412 "grep.exe"
locate.com Jan 13 2005 11254 "locate.com"
ltime.exe Oct 28 1986 13184 "ltime.exe"
4 items found: 4 files, 0 directories.
Total of file sizes: 150,441 bytes 146.91 K
----------------------------------------------------------------------------
Listing Standard Startup (Run) Registry Keys
----------------------------------------------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"WinMedia"="C:\\361101032251719933.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioAudioCentral"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\SMARTB~1\\MotiveSB.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"iTunesHelper"="\"E:\\emedia\\zyx e mus 2\\iTunesHelper.exe\""
"QuickTime Task"="\"E:\\K-Lite Codec Pack\\QuickTime\\qttask.exe\" -atboottime"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnceEx]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
----------------------------------------------------------------------------
Listing MSCONFIG Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000002
"services"=dword:00000000
"startup"=dword:00000000
----------------------------------------------------------------------------
Listing ModuleUsage Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/bdoscandel.exe]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/bdoscandellang.ini]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/asinst.dll]
".Owner"="{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"
"{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/bdcore.dll]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/bdupd.dll]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ipsupd.dll]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/lang.ini]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/libfn.dll]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/live.ini]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/oscan8.ocx]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/oscan81.ocx_x]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/scanoptions.tsi]
".Owner"="{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
"{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"=""
----------------------------------------------------------------------------
Listing HKCU Policies Registry Keys
----------------------------------------------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
----------------------------------------------------------------------------
Listing HKCU Explorer\Advanced//Hidden and SuperHidden Registry Keys
we want their values to be all equal to 1
if Hidden = 0 then Hidden Files and Folders are not shown
if SuperHidden = 0 then File Extension are not shown
if ShowSuperHidden = 0 then Operation System Files are not shown
----------------------------------------------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000000
"ShowSuperHidden"=dword:00000001
----------------------------------------------------------------------------
Listing HKLM Policies Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
----------------------------------------------------------------------------
Listing BHO Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
----------------------------------------------------------------------------
Listing SharedTaskScheduler Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
----------------------------------------------------------------------------
Listing ShellExecuteHooks Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
----------------------------------------------------------------------------
Listing ShellServiceObjectDelayLoad Registry Keys
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
----------------------------------------------------------------------------
Listing Default URL Prefix Keys - a possible hijack point
----------------------------------------------------------------------------
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
----------------------------------------------------------------------------
HKEY_CURRENT_USER ZoneMap ProtocolDefaults
----------------------------------------------------------------------------
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
----------------------------------------------------------------------------
Miscellaneous Malware Detection Report
----------------------------------------------------------------------------
List of Malware found in SharedTaskScheduler
------------------------------------------------------------------------
No Malware found in SharedTaskScheduler
------------------------------------------------------------------------
List of Malware found in C:\WINDOWS\system32
------------------------------------------------------------------------
No Malware found in C:\WINDOWS\system32
------------------------------------------------------------------------
Check for Troj-Torpig-D,E,J Keylogger
------------------------------------------------------------------------
Troj-Torpig-D,E,J Keylogger was not found
------------------------------------------------------------------------
Looking for winlogonhook/conhook trojan
------------------------------------------------------------------------
winlogonhook/conhook key not found
------------------------------------------------------------------------
******************************************************************************
* ShowNew.Bat - © 07/01/2006 By Chaslang *
* *
* 10/27/2006 Version 0.19 beta - Remove tmpnewfiles.txt when finished *
* - Add flag for script mode install *
* - Add \Program Files\DeluxeCommunications *
* - Webhancer - Add \Program Files\em *
* 10/28/2006 Version 0.20 beta - Webhancer - Add \Program Files\mm *
******************************************************************************
* Most of the information reported below is not necessarily bad. You must *
* not take any steps on any of these lines without consulting an expert. *
******************************************************************************
Windows OS is
Microsoft Windows XP [Version 5.1.2600]
It's Tue October 31, 2006 05:22:49 PM
******************************************************************************
ShowNew installation folder and files
"E:\ShowNew\"
grep.exe Apr 14 2003 80412 "grep.exe"
locate.com Jan 13 2005 11254 "locate.com"
ltime.exe Oct 28 1986 13184 "ltime.exe"
shownew.bat Oct 28 2006 34308 "ShowNew.bat"
4 items found: 4 files, 0 directories.
Total of file sizes: 139,158 bytes 135.89 K
******************************************************************************
System Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\eric\Application Data
CLASSPATH=.;E:\K-Lite Codec Pack\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DIM4100
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\DIM4100
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;E:\K-Lite Codec Pack\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=E:\K-Lite Codec Pack\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\eric\LOCALS~1\Temp
TMP=C:\DOCUME~1\eric\LOCALS~1\Temp
USERDOMAIN=DIM4100
USERNAME=eric
USERPROFILE=C:\Documents and Settings\eric
windir=C:\WINDOWS
******************************************************************************
Showing any Pocket Killbox backup files
No matches found.
******************************************************************************
Not All Files Found are bad files: DO NOT TOUCH THEM WITHOUT EXPERT HELP!!!!
******************************************************************************
Locating all files created in C:\Documents and Settings\eric\Desktop within the last 90 days.
"C:\Documents and Settings\eric\Desktop\"
ccleaner.lnk Oct 31 2006 520 "CCleaner.lnk"
explorer.lnk Aug 16 2006 837 "Explorer.lnk"
mycomp~1.lnk Aug 16 2006 172 "My Computer.lnk"
shortc~1.lnk Aug 16 2006 417 "Shortcut to emedia.lnk"
shortc~2.lnk Aug 16 2006 458 "Shortcut to music.lnk"
shortc~3.lnk Aug 16 2006 471 "Shortcut to documents.lnk"
spybot~1.lnk Oct 31 2006 687 "Spybot - Search & Destroy.lnk"
thumbs.db Sep 3 2006 18432 "Thumbs.db"
8 items found: 8 files (1 H/S), 0 directories.
Total of file sizes: 21,994 bytes 21.48 K
******************************************************************************
Locating all files created in C:\Documents and Settings\eric\Start Menu\Programs\Startup within the last 90 days.
No matches found.
******************************************************************************
Locating all files created in C:\Documents and Settings\All Users\Start Menu within the last 90 days.
"C:\Documents and Settings\All Users\Start Menu\"
newoff~1.lnk Oct 31 2006 2433 "New Office Document.lnk"
openof~1.lnk Oct 31 2006 2443 "Open Office Document.lnk"
2 items found: 2 files, 0 directories.
Total of file sizes: 4,876 bytes 4.76 K
******************************************************************************
Locating all files created in C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ within the last 90 days.
No matches found.
******************************************************************************
Locating all files created in C:\Documents and Settings\All Users\Desktop\ within the last 90 days.
No matches found.
******************************************************************************
Locating all files created in C:\Documents and Settings\eric\Application Data\ within the last 90 days.
No matches found.
******************************************************************************
Locating all files created in C:\Documents and Settings\eric\Local Settings\Application Data\ within the last 90 days.
"C:\Documents and Settings\eric\Local Settings\Application Data\"
dcbc2a~1.ini Oct 30 2006 384000 "DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini"
gdipfo~1.dat Aug 29 2006 15976 "GDIPFONTCACHEV1.DAT"
iconca~1.db Oct 31 2006 3184656 "IconCache.db"
SUN Oct 31 2006 "Sun"
4 items found: 3 files (1 H/S), 1 directory.
Total of file sizes: 3,584,632 bytes 3.42 M
******************************************************************************
Locating all files created in C:\Documents and Settings\All Users\Application Data\ within the last 90 days.
"C:\Documents and Settings\All Users\Application Data\"
qtsban~1 Oct 27 2006 2910 "QTSBandwidthCache"
SPYBOT~1 Oct 31 2006 "Spybot - Search & Destroy"
2 items found: 1 file, 1 directory.
Total of file sizes: 2,910 bytes 2.84 K
******************************************************************************
Locating all files created in C:\Program Files\ within the last 90 days.
"C:\Program Files\"
DELL Aug 28 2006 "Dell"
IPOD Aug 6 2006 "iPod"
SECURI~1 Oct 26 2006 "Security Stronghold"
3 items found: 0 files, 3 directories.
******************************************************************************
DeluxeCommunications Search (new form of SurfSideKick)
Locating all files created in C:\Program Files\DeluxeCommunications\ within the last 90 days.
No matches found.
******************************************************************************
WebHancer - dohancer form Search
Locating all files created in C:\Program Files\em\ within the last 90 days.
No matches found.
******************************************************************************
WebHancer - hancmmnew form Search
Locating all files created in C:\Program Files\mm\ within the last 90 days.
No matches found.
******************************************************************************
Locating all files created in C:\Program Files\Common Files\ within the last 90 days.
No matches found.
******************************************************************************
Locating all files created in C:\Program Files\Common Files\Microsoft Shared\Web Folders within the last 120 days.
No matches found.
******************************************************************************
Locating all files created in C:\ within the last 90 days.
"C:\"
361101~2.exe Oct 31 2006 3072 "361101032251719933.exe"
361101~3.exe Oct 31 2006 3072 "361101032251723147.exe"
boot.ini Oct 31 2006 194 "boot.ini"
CONFIG.MSI Oct 26 2006 "Config.Msi"
hiberfil.sys Oct 31 2006 267767808 "hiberfil.sys"
newfiles.txt Oct 31 2006 9194 "newfiles.txt"
pagefile.sys Oct 31 2006 402653184 "pagefile.sys"
pkgclnup.log Oct 26 2006 16846 "PkgClnup.log"
runkeys.txt Oct 31 2006 12664 "runkeys.txt"
thumbs.db Sep 3 2006 30720 "Thumbs.db"
truesw~1.exe Oct 26 2006 3045651 "TrueSword.exe"
_navcclt.log Oct 26 2006 37042 "_NavCClt.Log"
12 items found: 11 files (6 H/S), 1 directory (1 H/S).
Total of file sizes: 673,579,447 bytes 642.38 M
******************************************************************************
Locating all files created in C:\WINDOWS\Downloaded Program Files\ within the last 90 days.
"C:\WINDOWS\Downloaded Program Files\"
asinst.dll Aug 24 2006 141424 "asinst.dll"
asinst.inf Aug 22 2006 537 "asinst.inf"
2 items found: 2 files, 0 directories.
Total of file sizes: 141,961 bytes 138.63 K
******************************************************************************
Locating .EXE files created in C:\WINDOWS within the last 360 days.
"C:\WINDOWS\"
bdosca~1.exe May 25 2006 53248 "bdoscandel.exe"
1 item found: 1 file, 0 directories.
Total of file sizes: 53,248 bytes 52.00 K
******************************************************************************
Locating .EXE files created in C:\WINDOWS\system32 within the last 90 days.
"C:\WINDOWS\system32\"
asuninst.exe Aug 2 2006 73728 "asuninst.exe"
mrt.exe Oct 4 2006 9639336 "MRT.exe"
2 items found: 2 files, 0 directories.
Total of file sizes: 9,713,064 bytes 9.26 M
******************************************************************************
Locating .DLL files created in C:\WINDOWS within the last 360 days.
No matches found.
******************************************************************************
Locating .DLL files created in C:\WINDOWS\System32 within the last 90 days.
No matches found.
******************************************************************************
Locating .TMP files created in C:\WINDOWS\System32 within the last 90 days.
No matches found.
******************************************************************************
Locating .INI files created in C:\WINDOWS\System32 within the last 90 days.
"C:\WINDOWS\system32\"
perfst~1.ini Oct 29 2006 439552 "PerfStringBackup.INI"
1 item found: 1 file, 0 directories.
Total of file sizes: 439,552 bytes 429.25 K
******************************************************************************
Locating .DAT files created in C:\WINDOWS\System32 within the last 90 days.
"C:\WINDOWS\system32\"
d3d8caps.dat Oct 21 2006 1632 "d3d8caps.dat"
perfc009.dat Oct 29 2006 52764 "perfc009.dat"
perfh009.dat Oct 29 2006 380350 "perfh009.dat"
3 items found: 3 files, 0 directories.
Total of file sizes: 434,746 bytes 424.55 K
******************************************************************************
Locating all files created in C:\WINDOWS\System32\components within the last 90 days.
This folder is now being used by Trojan.FakeAlert.CX aka SmitFraud
No matches found.
******************************************************************************
Locating C:\WINDOWS\TEMP files created with in the last 90 days.
"C:\WINDOWS\Temp\"
ASHEUR~1 Oct 31 2006 "ASHeuristic"
1 item found: 0 files, 1 directory.
******************************************************************************
Locating C:\Documents and Settings\eric\Local Settings\TEMP files created within the last 90 days.
"C:\Documents and Settings\eric\Local Settings\Temp\"
gkjnr~1.con Oct 31 2006 207 "gkjnr.conf"
jusched.log Oct 31 2006 196 "jusched.log"
2 items found: 2 files, 0 directories.
Total of file sizes: 403 bytes 0.39 K
******************************************************************************
Locating .COM files in the C:\WINDOWS\System32 folder
"C:\WINDOWS\system32\"
chcp.com Aug 23 2001 7680 "chcp.com"
command.com Aug 23 2001 50620 "command.com"
diskcomp.com Aug 23