View Full Version : Melware Issues that can't be removed
I'm needing help in removing some very sticky bugs.
Which are Fake.Wget and Bifrose.LA.
Spybot detects and removes but when the pc is rebooted they come back.
Please Help
Spybot Log
Bifrose.LA: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
Fake.Wget: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1645522239-1563985344-839522115-1003\Software\Wget
Fake.Wget: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Wget
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-05-17 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-13 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-13 Includes\DialerC.sbi (*)
2007-06-13 Includes\Hijackers.sbi (*)
2007-06-13 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-06-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-05-30 Includes\Malware.sbi (*)
2007-06-13 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-13 Includes\PUPSC.sbi (*)
2007-06-13 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-13 Includes\SecurityC.sbi (*)
2007-06-06 Includes\Spybots.sbi (*)
2007-06-13 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-05-16 Includes\Trojans.sbi (*)
2007-06-13 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:25:07 AM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\VET\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\VET\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tune-up.com/link/?app=tu2007&version=6.0.1255&tulang=en&lang=en&country=US&target=visualstyles&nidt=0003
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cobian Backup 8] "C:\Program Files\Cobian Backup 8\Cobian.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\VET\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NVidia] C:\WINDOWS\system32\wdfmgrs32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVidia] C:\WINDOWS\system32\wdfmgrs32.exe
O4 - Startup: EZ Scheduler.lnk = C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\VET\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/03/clip_image002.gif
--
Cheers
Jarrad
Hi and welcome to the Board
I'm Blade and I am going to try to help you with your problem. Please take a note of five things.
I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]
[-HKEY_USERS\S-1-5-21-1645522239-1563985344-839522115-1003\Software\Wget]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wget]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.
Start hjt, click do a system scan only, check:
O4 - HKLM\..\Run: [NVidia] C:\WINDOWS\system32\wdfmgrs32.exe
O4 - HKCU\..\Run: [NVidia] C:\WINDOWS\system32\wdfmgrs32.exe
Close browsers and other windows. Click fix checked.
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete following file if found (in safe mode if needed):
C:\WINDOWS\system32\wdfmgrs32.exe
Running temp cleaner & AVG Anti-Spyware
---------------------------------------
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Unselect Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Do a rescan with Spybot and post its findings if something is still found. Post also:
-AVG Anti-Spyware log
-a fresh HJT log.
There still there.
Spybot log
Bifrose.LA: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
Fake.Wget: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1645522239-1563985344-839522115-1003\Software\Wget
Fake.Wget: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Wget
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-05-17 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-20 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-20 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
Hijackthis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:49:28 AM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\VET\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VET\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AutoCAD 2006\acad.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tune-up.com/link/?app=tu2007&version=6.0.1255&tulang=en&lang=en&country=US&target=visualstyles&nidt=0003
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cobian Backup 8] "C:\Program Files\Cobian Backup 8\Cobian.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\VET\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EZ Scheduler.lnk = C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\VET\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/03/clip_image002.gif
--
End of file - 7157 bytes
AVG Log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:52:52 AM 6/21/2007
+ Scan result:
[3596] VM_10000000 -> Logger.Agent.ca : Cleaned with backup (quarantined).
::Report end
Hope this helps
Cheers
Jarrad
Hi
You may want to print out these instructions for reference, since you
will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make
sure Run fixit is checked and click Finish. The fix will
begin; follow the prompts. You will be asked to reboot your computer;
please do so. Your system may take longer than usual to load; this is
normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of
the logfile C:\fixwareout\report.txt
Fixwareout Last edited 6/20/2007
Post this report in the forums please
...
»»»»»Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
@=""
"Cobian Backup 8"="\"C:\\Program Files\\Cobian Backup 8\\Cobian.exe\""
"itype"="\"c:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"cctray"="\"C:\\Program Files\\VET\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\VET\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Hijackthislog
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:11:44 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\VET\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tune-up.com/link/?app=tu2007&version=6.0.1255&tulang=en&lang=en&country=US&target=visualstyles&nidt=0003
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cobian Backup 8] "C:\Program Files\Cobian Backup 8\Cobian.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\VET\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EZ Scheduler.lnk = C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\VET\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\VET\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/03/clip_image002.gif
--
End of file - 6833 bytes
As requested
Cheers
Jarrad
Hi
Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
Hi, when I posted this log it told me that the text is to long so it's now in two parts.
WinPFind3 logfile created on: 6/25/2007 8:10:23 AM
WinPFind3U by OldTimer - Version 1.0.39 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
1023.29 Mb Total Physical Memory | 641.00 Mb Available Physical Memory | 62.64% Memory free
929.50 Mb Paging File | 641.88 Mb Available in Paging File | 69.06% Paging File free
Paging file location(s):
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 68.65 Gb Free Space | 92.13% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: FDGROUP-12
Current User Name: Owner
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
apache.exe -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe -> Apache Software Foundation [Ver = 2.0.52 | Size = 20543 bytes | Modified Date = 4/3/2006 5:04:02 PM | Attr = ]
apache.exe -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe -> Apache Software Foundation [Ver = 2.0.52 | Size = 20543 bytes | Modified Date = 4/3/2006 5:04:02 PM | Attr = ]
cavrid.exe -> %ProgramFiles%\VET\CA Internet Security Suite\CA Anti-Virus\cavrid.exe -> CA, Inc. [Ver = Version 8.4.0.24 | Size = 230928 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
cbinterface.exe -> %ProgramFiles%\Cobian Backup 8\cbInterface.exe -> Luis Cobian [Ver = 8.2.0.186 | Size = 2417152 bytes | Modified Date = 2/15/2007 3:44:40 PM | Attr = ]
ccprovsp.exe -> %ProgramFiles%\VET\CA Internet Security Suite\ccprovsp.exe -> CA, Inc. [Ver = Version 3.2.1.14 | Size = 214544 bytes | Modified Date = 6/15/2007 4:51:08 PM | Attr = ]
cctray.exe -> %ProgramFiles%\VET\CA Internet Security Suite\cctray\cctray.exe -> CA, Inc. [Ver = Version 3.2.1.14 | Size = 177680 bytes | Modified Date = 6/15/2007 4:51:06 PM | Attr = ]
cobian.exe -> %ProgramFiles%\Cobian Backup 8\Cobian.exe -> Luis Cobian [Ver = 8.2.0.168 | Size = 499712 bytes | Modified Date = 2/15/2007 3:44:34 PM | Attr = ]
dkservice.exe -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe -> Diskeeper Corporation [Ver = 10.0.593.0 | Size = 765952 bytes | Modified Date = 11/23/2005 6:58:04 AM | Attr = ]
ezscheduler.exe -> %ProgramFiles%\American Systems\EZ Scheduler\EZScheduler.exe -> [Ver = 1, 0, 0, 1 | Size = 331776 bytes | Modified Date = 4/3/2001 3:34:20 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 10:31:10 PM | Attr = ]
isafe.exe -> %ProgramFiles%\VET\CA Internet Security Suite\CA Anti-Virus\isafe.exe -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 144960 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
nsvcip.exe -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -> NVIDIA Corporation [Ver = 2, 2, 0, 464 | Size = 131131 bytes | Modified Date = 7/13/2006 3:59:48 PM | Attr = ]
nsvclog.exe -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe -> NVIDIA Corporation [Ver = 2, 2, 0, 464 | Size = 65599 bytes | Modified Date = 7/13/2006 3:59:32 PM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 10/22/2006 11:22:00 AM | Attr = ]
vetmsg.exe -> %ProgramFiles%\VET\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -> CA, Inc. [Ver = Version 8.4.0.24 | Size = 243216 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 3/20/2007 2:58:02 PM | Attr = ]
(Autodesk Licensing Service) Autodesk Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Autodesk Shared\Service\AdskScSrv.exe -> Autodesk [Ver = 2.66.000 | Size = 77944 bytes | Modified Date = 3/20/2007 11:55:58 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 10:31:10 PM | Attr = ]
(CaCCProvSP) CaCCProvSP [Win32_Own | On_Demand | Running] -> %ProgramFiles%\VET\CA Internet Security Suite\ccprovsp.exe -> CA, Inc. [Ver = Version 3.2.1.14 | Size = 214544 bytes | Modified Date = 6/15/2007 4:51:08 PM | Attr = ]
(CAISafe) CAISafe [Win32_Own | Auto | Running] -> %ProgramFiles%\VET\CA Internet Security Suite\CA Anti-Virus\isafe.exe -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 144960 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
(Diskeeper) Diskeeper [Win32_Own | Auto | Running] -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe -> Diskeeper Corporation [Ver = 10.0.593.0 | Size = 765952 bytes | Modified Date = 11/23/2005 6:58:04 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2/28/2006 10:00:00 PM | Attr = ]
(ForcewareWebInterface) Forceware Web Interface [Win32_Own | Auto | Running] -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe -> Apache Software Foundation [Ver = 2.0.52 | Size = 20543 bytes | Modified Date = 4/3/2006 5:04:02 PM | Attr = ]
(nSvcIp) ForceWare IP service [Win32_Own | Auto | Running] -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe -> NVIDIA Corporation [Ver = 2, 2, 0, 464 | Size = 131131 bytes | Modified Date = 7/13/2006 3:59:48 PM | Attr = ]
(nSvcLog) ForceWare user log service [Win32_Own | Auto | Running] -> %ProgramFiles%\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe -> NVIDIA Corporation [Ver = 2, 2, 0, 464 | Size = 65599 bytes | Modified Date = 7/13/2006 3:59:32 PM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 10/22/2006 11:22:00 AM | Attr = ]
(VETMSGNT) VET Message Service [Win32_Own | Auto | Running] -> %ProgramFiles%\VET\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -> CA, Inc. [Ver = Version 8.4.0.24 | Size = 243216 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
-> -> File not found
CAVRID -> %ProgramFiles%\VET\CA Internet Security Suite\CA Anti-Virus\cavrid.exe -> CA, Inc. [Ver = Version 8.4.0.24 | Size = 230928 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
cctray -> %ProgramFiles%\VET\CA Internet Security Suite\cctray\cctray.exe -> CA, Inc. [Ver = Version 3.2.1.14 | Size = 177680 bytes | Modified Date = 6/15/2007 4:51:06 PM | Attr = ]
Cobian Backup 8 -> %ProgramFiles%\Cobian Backup 8\Cobian.exe -> Luis Cobian [Ver = 8.2.0.168 | Size = 499712 bytes | Modified Date = 2/15/2007 3:44:34 PM | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 7700480 bytes | Modified Date = 10/22/2006 11:22:00 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< User Startup > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup ->
%UserStartup%\EZ Scheduler.lnk -> %ProgramFiles%\American Systems\EZ Scheduler\EZScheduler.exe -> [Ver = 1, 0, 0, 1 | Size = 331776 bytes | Modified Date = 4/3/2001 3:34:20 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 10:29:58 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (23 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.google.com.au/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 12:56:50 AM | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [AcroIEToolbarHelper Class] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 12/14/2004 1:13:40 AM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 12/14/2004 1:13:40 AM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 12/14/2004 1:13:40 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.0.0 | Size = 225280 bytes | Modified Date = 12/14/2004 1:13:40 AM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
E&xport to Microsoft Excel -> -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{FA0712FD-6B0A-4A0F-92C7-C95FFCA4DD56} -> (NVIDIA nForce Networking Controller) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
Protocol_Catalog9\Catalog_Entries\000000000001 -> %System32%\vetredir.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 79424 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %System32%\vetredir.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 79424 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %System32%\vetredir.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 79424 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000015 -> %System32%\vetredir.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 79424 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab ->
Part two
[Files/Folders - Created Within 30 days]
BJPrinter -> %SystemDrive%\BJPrinter -> [Folder | Created Date = 6/1/2007 5:41:52 PM | Attr = H ]
dnsbak.reg -> %SystemDrive%\dnsbak.reg -> [Ver = | Size = 5277 bytes | Created Date = 6/22/2007 8:04:08 AM | Attr = ]
fixwareout -> %SystemDrive%\fixwareout -> [Folder | Created Date = 6/22/2007 8:03:11 AM | Attr = ]
Temp -> %SystemDrive%\Temp -> [Folder | Created Date = 6/4/2007 11:41:06 AM | Attr = ]
Utilities -> %SystemDrive%\Utilities -> [Folder | Created Date = 6/4/2007 10:17:17 AM | Attr = ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Created Date = 6/13/2007 6:01:17 PM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Created Date = 6/13/2007 6:00:33 PM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Created Date = 6/13/2007 6:01:12 PM | Attr = H ]
amuninst.exe -> %SystemRoot%\amuninst.exe -> American Systems [Ver = 1, 0, 0, 1 | Size = 209920 bytes | Created Date = 6/18/2007 8:40:49 AM | Attr = ]
CAVTemp -> %SystemRoot%\CAVTemp -> [Folder | Created Date = 5/31/2007 5:48:31 PM | Attr = ]
ezscheduler.INI -> %SystemRoot%\ezscheduler.INI -> [Ver = | Size = 39 bytes | Created Date = 6/18/2007 8:40:55 AM | Attr = ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Created Date = 5/31/2007 5:56:19 PM | Attr = ]
ua2.dll -> %SystemRoot%\ua2.dll -> [Ver = | Size = 77312 bytes | Created Date = 6/4/2007 12:24:24 PM | Attr = ]
unezsched.ini -> %SystemRoot%\unezsched.ini -> [Ver = | Size = 317 bytes | Created Date = 6/18/2007 8:40:49 AM | Attr = ]
isafeif.dll -> %System32%\isafeif.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 99904 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
isafprod.dll -> %System32%\isafprod.dll -> CA, Inc. [Ver = Version 8.4.0.24 | Size = 75280 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
vetredir.dll -> %System32%\vetredir.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 79424 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 6/21/2007 8:27:26 AM | Attr = ]
vet-filt.sys -> %System32%\drivers\vet-filt.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 26640 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
vet-rec.sys -> %System32%\drivers\vet-rec.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 21392 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
veteboot.sys -> %System32%\drivers\veteboot.sys -> Computer Associates International, Inc. [Ver = 30.8.0.0 | Size = 108624 bytes | Created Date = 6/21/2007 8:15:48 AM | Attr = ]
vetefile.sys -> %System32%\drivers\vetefile.sys -> Computer Associates International, Inc. [Ver = 30.8.0.0 | Size = 630432 bytes | Created Date = 6/21/2007 8:15:48 AM | Attr = ]
vetfddnt.sys -> %System32%\drivers\vetfddnt.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 21648 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
vetmonnt.sys -> %System32%\drivers\vetmonnt.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 32528 bytes | Created Date = 5/28/2007 4:51:40 PM | Attr = ]
[Files/Folders - Modified Within 30 days]
BJPrinter -> %SystemDrive%\BJPrinter -> [Folder | Modified Date = 6/1/2007 5:41:54 PM | Attr = H ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 389 bytes | Modified Date = 5/31/2007 6:01:50 PM | Attr = RHS]
dnsbak.reg -> %SystemDrive%\dnsbak.reg -> [Ver = | Size = 5277 bytes | Modified Date = 6/22/2007 8:04:10 AM | Attr = ]
fixwareout -> %SystemDrive%\fixwareout -> [Folder | Modified Date = 6/22/2007 8:08:04 AM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 6/21/2007 8:27:24 AM | Attr = R ]
Temp -> %SystemDrive%\Temp -> [Folder | Modified Date = 6/4/2007 11:41:20 AM | Attr = ]
Utilities -> %SystemDrive%\Utilities -> [Folder | Modified Date = 6/21/2007 8:34:06 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 6/25/2007 8:01:48 AM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 6/13/2007 8:57:28 AM | Attr = H ]
$NtUninstallKB929123$ -> %SystemRoot%\$NtUninstallKB929123$ -> [Folder | Modified Date = 6/13/2007 6:01:20 PM | Attr = H ]
$NtUninstallKB935839$ -> %SystemRoot%\$NtUninstallKB935839$ -> [Folder | Modified Date = 6/13/2007 6:00:34 PM | Attr = H ]
$NtUninstallKB935840$ -> %SystemRoot%\$NtUninstallKB935840$ -> [Folder | Modified Date = 6/13/2007 6:01:14 PM | Attr = H ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 5/31/2007 5:56:16 PM | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 6/25/2007 7:55:42 AM | Attr = S]
CAVTemp -> %SystemRoot%\CAVTemp -> [Folder | Modified Date = 6/22/2007 8:35:44 AM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 6/13/2007 6:00:40 PM | Attr = ]
ezscheduler.INI -> %SystemRoot%\ezscheduler.INI -> [Ver = | Size = 39 bytes | Modified Date = 6/25/2007 7:56:46 AM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 6/8/2007 8:52:36 AM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 6/13/2007 6:01:16 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 6/13/2007 6:01:22 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 6/4/2007 12:24:26 PM | Attr = HS]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 6/25/2007 8:01:56 AM | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 6/8/2007 8:52:38 AM | Attr = ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Modified Date = 5/31/2007 5:59:26 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 6/25/2007 8:01:48 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 6/4/2007 9:50:40 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 6/25/2007 7:56:38 AM | Attr = ]
ua2.dll -> %SystemRoot%\ua2.dll -> [Ver = | Size = 77312 bytes | Modified Date = 6/4/2007 12:24:26 PM | Attr = ]
unezsched.ini -> %SystemRoot%\unezsched.ini -> [Ver = | Size = 317 bytes | Modified Date = 6/18/2007 8:40:50 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 6/4/2007 12:24:26 PM | Attr = ]
1-Click Maintenance.job -> %SystemRoot%\tasks\1-Click Maintenance.job -> [Ver = | Size = 390 bytes | Modified Date = 6/22/2007 5:15:42 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 6/25/2007 7:55:54 AM | Attr = H ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 6/13/2007 8:56:28 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 5/31/2007 5:58:34 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 6/13/2007 6:01:20 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 6/21/2007 8:27:28 AM | Attr = ]
isafeif.dll -> %System32%\isafeif.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 99904 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
isafprod.dll -> %System32%\isafprod.dll -> CA, Inc. [Ver = Version 8.4.0.24 | Size = 75280 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 88566 bytes | Modified Date = 6/25/2007 7:56:40 AM | Attr = ]
plugin1.dat -> %System32%\plugin1.dat -> [Ver = | Size = 51733 bytes | Modified Date = 6/21/2007 8:32:28 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 6/4/2007 11:32:42 AM | Attr = ]
SysPr.prx -> %System32%\SysPr.prx -> [Ver = | Size = 29765 bytes | Modified Date = 6/21/2007 5:44:54 PM | Attr = HS]
vetredir.dll -> %System32%\vetredir.dll -> Computer Associates International, Inc. [Ver = Version 8.0.8.0 | Size = 79424 bytes | Modified Date = 5/28/2007 5:09:08 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13752 bytes | Modified Date = 6/25/2007 7:56:28 AM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 10:10:42 PM | Attr = ]
vet-filt.sys -> %System32%\drivers\vet-filt.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 26640 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
vet-rec.sys -> %System32%\drivers\vet-rec.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 21392 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
veteboot.sys -> %System32%\drivers\veteboot.sys -> Computer Associates International, Inc. [Ver = 30.8.0.0 | Size = 108624 bytes | Modified Date = 6/21/2007 8:15:50 AM | Attr = ]
vetefile.sys -> %System32%\drivers\vetefile.sys -> Computer Associates International, Inc. [Ver = 30.8.0.0 | Size = 630432 bytes | Modified Date = 6/21/2007 8:15:50 AM | Attr = ]
vetfddnt.sys -> %System32%\drivers\vetfddnt.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 21648 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
vetmonnt.sys -> %System32%\drivers\vetmonnt.sys -> Computer Associates International, Inc. [Ver = 8.4.0.24 | Size = 32528 bytes | Modified Date = 5/28/2007 5:09:10 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
Umonitor , -> %SystemRoot%\pxinstall_log.txt -> [Ver = | Size = 88752 bytes | Modified Date = 6/4/2007 1:16:10 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 2/28/2006 10:00:00 PM | Attr = ]
Umonitor , -> %System32%\ipebase11.dll -> Hewlett-Packard Company [Ver = 1, 1, 0, 0 | Size = 324096 bytes | Modified Date = 8/24/1998 4:57:26 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 2/28/2006 10:00:00 PM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 2/28/2006 10:00:00 PM | Attr = ]
< End of report >
Thanks
Jarrad
Hi
I'm sorry for delayed reply. Had to ask some hints to your case.
First download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.
In the box that opens ONLY choose
System registry.
Then click OK.
Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
After backup of registry is ready it's time to try fixing problematic entries by following instructions below.
1. Download Registrar Lite from here (http://www.majorgeeks.com/download469.html) and install it.
2. Start Registrar Lite.
3. Type in to Address field this and click ok: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
4. Right-click that key and choose Properties. Click "Take ownership".
5. Right-click that key again and choose Delete.
Repeat process for these keys:
HKEY_USERS\S-1-5-21-1645522239-1563985344-839522115-1003\Software\Wget
HKEY_LOCAL_MACHINE\SOFTWARE\Wget
If there are some subkeys behind those keys delete those as well (steps 4. and 5.).
Then reboot and do a rescan with Spybot. Let me know the results. :)
Due to lack of a response, this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.