Unusual Program

roksteady · #1 (**permalink**) 02-08-2006, 05:48 PM

When I select a restart of my computer I get a message ending the program F9rKdFrWLF4BwaFmMc4kqw24+de....

I've noticed that my PC never shutsdown. I can leave it on all night and it will never turn off. And my cursor sometimes moves by itself.

I have run several virus and spyware scans but nothing comes up. Is it a virus or part of another program or have I been hacked?

roksteady · #2 (**permalink**) 02-08-2006, 05:50 PM

When I select a restart of my computer I get a message ending the program F9rKdFrWLF4BwaFmMc4kqw24+de....

I've noticed that my PC never shutsdown. I can leave it on all night and it will never turn off. And my cursor sometimes moves by itself.

I have run several virus and spyware scans but nothing comes up. Is it a virus or part of another program or have I been hacked?

Neal · #3 (**permalink**) 03-08-2006, 07:39 PM

Hi,

Go here Read This First - IMPORTANT Instructions

Do everything there and post a hijackthis log from the link provided please. Thanks.

roksteady · #4 (**permalink**) 04-08-2006, 04:08 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:39:34 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1153696854\ee\services\sscFirewallPlugin \ver1_205_1_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\mcafee.com\personal firewall\MPFTray.exe
c:\program files\common files\aol\1153696854\ee\services\sscAntiSpywarePlu gin\ver1_205_1_1\AOLSP Scheduler.exe
C:\Program Files\AIM\aim.exe
c:\program files\common files\aol\1153696854\ee\aexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Desktop\hijackthis\HijackTh is.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us5.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\mcafee.com\personal firewall\MPFTray.exe"
O4 - HKLM\..\Run: [NoTrace] "C:\Program Files\No Trace\NoTrace2.exe" -mini
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153789686138
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153962817810
O17 - HKLM\System\CCS\Services\Tcpip\..\{B37AB720-9CFE-4D30-9CAE-F9134244725C}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Neal · #5 (**permalink**) 04-08-2006, 05:15 PM

Not a thing showing in that log.

Download and install
Ewido anti-spyware
4.0 (uninstall any previous version first).

Click the Download BUTTON. On the next page click the
Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run ewido anti-spyware
Wait a few moments and Ewido should Auto update itself (note date of last
update). If it doesn't update, click the update ICON at top of
screen:
Quote:
Click on the Update now LINK at the top of the window
Click on the Start update button

Wait for the update to download and install
This is very important to get the LATEST
updates
Click on the Status ICON
- Under "Your computers Security"
  Click change status on Resident shield to inactive
  (ONLY consider activation of that feature once you are
  clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions
and choose Quarantine

Close ALL open Windows / Programs / Folders. Please start
Ewido, and run a full scan:

Click on the default Status ICON and select
the Scan now LINK.

OR
Click on the Scanner ICON . Select the Scan
TAB.
- Select Complete System Scan. Ewido will now begin to scan your
  system.

If Ewido finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows
  Quarantine, if not click on the link and choose
  Quarantine from the popup menu.
- Select Apply all actions at the bottom of the window (and the
  items found will be quarantined - and recoverable, if any items are needed
  back).
When the scan has completed, click on the Save Scan Report button
and save the scan to your Desktop where it can be easily found.
Copy and paste the EWIDO scan results into your next
post.
Close Ewido.

roksteady · #6 (**permalink**) 04-08-2006, 08:03 PM

I have also noticed that in my Documents and Settings Folder there are numerous of folders/users: Administrator, Administrator.HOME, Administrator.HOME.000, All Users, Default User, and Owner. Administrator.HOME and Administrator.HOME.000 have been created in the last 3 days.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:58:05 PM 8/4/2006

+ Scan result:

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\Cac he(2)\E9E8024Dd01 -> Dropper.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Desktop\Muzik\(Crack) prevx1 console crack 55.zip/install.exe -> Hijacker.Agent.hi : Cleaned with backup (quarantined).
:mozilla.397:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.201:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.248:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.249:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.250:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.251:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.252:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.253:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.179:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.158:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.159:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.160:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.161:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.162:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.164:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.336:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.241:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.206:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.504:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Hotlog : Cleaned with backup (quarantined).
:mozilla.303:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.304:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Onestat : Cleaned with backup (quarantined).
:mozilla.319:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.320:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.321:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.316:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.317:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.318:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Spylog : Cleaned with backup (quarantined).
:mozilla.226:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.227:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.229:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.230:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.231:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.232:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.291:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.296:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
:mozilla.256:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.257:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.258:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.259:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.260:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.261:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.262:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.278:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.279:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.280:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.282:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.283:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.456:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.457:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.458:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqe6wxno.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).

::Report end

Neal · #7 (**permalink**) 04-08-2006, 10:43 PM

Just cookies, nothing else.

www.silentrunners.org/Silent%20Runners.zip

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Please wait until it prompts you the scan is finished! Save and post the log it makes.

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.
Please print these instructions as you will be going into safe mode.
Reboot your computer into Safe Mode by following the following steps:

Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt

roksteady · #8 (**permalink**) 05-08-2006, 02:51 PM

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Microsoft Works Update Detection" = "c:\Program Files\Microsoft Works\WkDetect.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"S3apphk" = "S3apphk.exe" [null data]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"MPFEXE" = "C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" ["McAfee Security"]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
"OASClnt" = "C:\Program Files\mcafee.com\antivirus\oasclnt.exe" ["McAfee, Inc."]
"EmailScan" = "C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" ["McAfee, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

Default executables:
--------------------

HKLM\Software\Classes\.hta\(Default) = (value not set)

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "&hp toolkit"
\InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "&hp toolkit"
\InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "hp toolkit"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "&hp toolkit"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{17A27031-71FC-11D4-815C-005004D0F1FA}\
"ButtonText" = "MktBrowser"
"MenuText" = "MarketBrowser"
"Exec" = "C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy" [null data]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
McAfee McShield, McShield, "C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe" ["McAfee Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\mcafee.com\personal firewall\MPFService.exe"" ["McAfee Corporation"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 88 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 144 seconds)

roksteady · #9 (**permalink**) 05-08-2006, 03:41 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
Umonitor 8/4/2006 11:49:42 AM 38829 C:\WINDOWS\pxinstall_log.txt

Checking %System% folder...
PEC2 8/18/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 7/6/2006 6

48 PM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3

36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3

44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 10/24/2001 11:44:12 PM 253440 C:\WINDOWS\SYSTEM32\RDBios32.DLL
winsync 8/18/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/5/2006 9:57:34 AM S 2048 C:\WINDOWS\bootstat.dat
8/4/2006 10:37:48 AM H 54156 C:\WINDOWS\QTFont.qfn
7/24/2006 9:18:16 PM H 0 C:\WINDOWS\inf\oem51.inf
7/27/2006 10:14:52 AM H 0 C:\WINDOWS\inf\oem54.inf
7/27/2006 9:47:14 AM RHS 286777 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1 0.cab
8/3/2006 1:34:18 PM HS 40973 C:\WINDOWS\system32\yayvsst.dll
7/23/2006 7:08:26 PM H 4212 C:\WINDOWS\system32\zllictbl.dat
6/22/2006 7:18:30 AM S 13309 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911280.cat
6/19/2006 4:20:58 PM S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
8/5/2006 9:57:24 AM H 8192 C:\WINDOWS\system32\config\default.LOG
8/5/2006 9:57:48 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/5/2006 9:57:36 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
8/5/2006 9:58:38 AM H 135168 C:\WINDOWS\system32\config\software.LOG
8/5/2006 9:57:42 AM H 1015808 C:\WINDOWS\system32\config\system.LOG
7/26/2006 7:58:08 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DA T.LOG
7/26/2006 8:10:30 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\6b653359-1bff-46d2-b83b-8c71a8c2ba26
7/26/2006 8:10:30 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
7/23/2006 5:58:00 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9aa831c2-5209-4f58-9be8-12962d8d73b5
7/23/2006 8:18:10 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\dcfb480d-dbcd-4993-a431-e675fc3f20f3
7/23/2006 5:58:00 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/5/2006 9:54:46 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 3

58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3

58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3

58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3

58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3

58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3

58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 3/12/2002 6:23:58 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 3

58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3

58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3

58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3

58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 8/26/2005 6:14:42 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3

58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3

58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3

58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 3/9/2002 7:53:00 PM 106496 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 3

58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3

58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 7/23/2006 7:23:00 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Apple Computer, Inc. 1/6/2004 4:02:36 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft 3/3/1999 3:10:02 AM 49152 C:\WINDOWS\SYSTEM32\speech.cpl
12/29/2002 1:14:38 AM 81920 C:\WINDOWS\SYSTEM32\Startup.cpl
Microsoft Corporation 8/4/2004 3

58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3

58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3

58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 3/12/2002 6:23:58 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFi les\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

4/20/2002 12:16:46 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/19/2002 5:08:38 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/17/2001 9:22:52 PM 36864 C:\Documents and Settings\Administrator.HOME.001\Start Menu\Programs\Startup\AutoPlay.exe
4/20/2002 12:16:46 AM HS 84 C:\Documents and Settings\Administrator.HOME.001\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/19/2002 5:08:38 PM HS 62 C:\Documents and Settings\Administrator.HOME.001\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ew ido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Of fline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Op en With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a 2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shel lex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex \ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp toolkit = C:\WINDOWS\System32\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = &hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{17A27031-71FC-11d4-815C-005004D0F1FA}
ButtonText = MktBrowser : C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = &hp toolkit : C:\HP\EXPLOREBAR\HPTOOLKT.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
PreloadApp c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
dla C:\WINDOWS\system32\dla\tfswctrl.exe
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
nwiz nwiz.exe /install
S3apphk S3apphk.exe
PS2 C:\WINDOWS\system32\ps2.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
MPFEXE C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
OASClnt C:\Program Files\mcafee.com\antivirus\oasclnt.exe
EmailScan C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/5/2006 10:06:03 AM

Neal · #10 (**permalink**) 06-08-2006, 12:59 AM

Hi,

Did you install MarketBrowser? Let me know please or did it just appear.

Now let's see if we can kill the Vundo Trojan I found in the winpfind log

Please download VundoFix to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to "Run VundoFix as a task."
* You will receive a message saying vundofix will close and re-open in a minute or less. Click "OK".
* When VundoFix re-opens, click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* If it says "No infected files were found", right-click the blank listbox (white box) in the main VundoFix window.
* Select "Add More Files?" from the menu that comes up. This will open a new VundoFix window that says "Paste files into the boxes below:"

* In the top/first field, copy and paste the path to the dll: C:\WINDOWS\system32\yayvsst.dll
* In the next/second field, copy and paste the path to the reversed file: C:\WINDOWS\system32\tssvyay.*

File paths are in bold

* Click the "Add Files" button.
* Click the "Close Window" button.
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click "YES".
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click "OK".
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.