PDA

View Full Version : advertising.com and other regenerating spyware



digital-ink
2006-02-10, 02:04
Hello

I'm new here, but it seems this is a good forum to belong to if your having spyware troubles. I can't seem to rid myself of some spyware. I'm sure you all have heard the story before; spybot finds it, destroys it, but by next reboot its back. advertising.com, fastclick, valueclick, double click, and mediaplex.

here is my log, i hope you can help..

Logfile of HijackThis v1.99.1
Scan saved at 7:00:38 PM, on 2/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq\Desktop\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Exif Launcher.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {44710E5B-1B9A-4368-BB18-82B74ACEAC8A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C45ED0E9-8943-4319-9971-479C4BA36078} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DDCF7B3A-8D48-4A05-98F2-7CD51C478124} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

digital-ink
2006-02-10, 22:22
any thoughts?

Metallica
2006-02-10, 23:10
Yes. But you shouldn't bump your threads. It makes it look as if you had an answer.

Glad I caught you. ;)

Please disable AdWatch, as it may hinder the removal of some entries.
To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both options. You can enable these after resolving your problem.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Download WinPFind.zip (http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip) and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder)

digital-ink
2006-02-10, 23:38
my mistake, i was just trying to prevent my problem from going unnoticed since it was on the second page. lesson learned so it wont happen again =D

i followed you're instructions and this is what i got..

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
SAHAgent 21/06/2005 22:13:34 3585 C:\WINDOWS\SYSTEM32\6l6cuah9.ini
PEC2 31/12/2002 07:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 26/10/2004 17:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 26/10/2004 17:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
SAHAgent 21/06/2005 15:42:20 35 C:\WINDOWS\SYSTEM32\kcse04tk.ini
SAHAgent 21/06/2005 15:42:20 35 C:\WINDOWS\SYSTEM32\kkhe9l2p.ini
PTech 12/07/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 04/01/2006 22:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/01/2006 22:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 31/12/2002 07:00:00 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 31/12/2002 07:00:00 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
FSG! 21/06/2005 15:37:30 398742 C:\WINDOWS\SYSTEM32\Tqzdtlk1.xml
winsync 31/12/2002 07:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/02/2006 16:20:28 S 2048 C:\WINDOWS\bootstat.dat
10/02/2006 16:19:12 H 24 C:\WINDOWS\pogwG
05/02/2006 19:24:58 H 54156 C:\WINDOWS\QTFont.qfn
10/02/2006 15:37:12 HS 7680 C:\WINDOWS\Thumbs.db
02/01/2006 18:09:36 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
10/02/2006 16:20:18 H 8192 C:\WINDOWS\system32\config\default.LOG
10/02/2006 16:20:40 H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/02/2006 16:20:30 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
10/02/2006 16:21:44 H 73728 C:\WINDOWS\system32\config\software.LOG
10/02/2006 16:20:36 H 888832 C:\WINDOWS\system32\config\system.LOG
12/01/2006 15:35:02 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
14/01/2006 09:58:20 S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
14/01/2006 09:58:16 S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
14/01/2006 09:58:20 S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
14/01/2006 09:58:16 S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
01/01/2006 00:45:28 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7e668dc6-e71d-4607-8b40-a7c96efe562b
01/01/2006 00:45:28 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/02/2006 16:19:32 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 31/12/2002 07:00:00 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 31/12/2002 07:00:00 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 31/12/2002 07:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 31/12/2002 07:00:00 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 31/12/2002 07:00:00 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 31/12/2002 07:00:00 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 26/08/2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 31/12/2002 07:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 31/12/2002 07:00:00 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 31/12/2002 07:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 31/12/2002 07:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 31/12/2002 07:00:00 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 31/12/2002 07:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 31/12/2002 07:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 31/12/2002 07:00:00 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 31/12/2002 07:00:00 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 31/12/2002 07:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 31/12/2002 07:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 31/12/2002 07:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 31/12/2002 07:00:00 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 31/12/2002 07:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 31/12/2002 07:00:00 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 31/12/2002 07:00:00 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 31/12/2002 07:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 31/12/2002 07:00:00 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 31/12/2002 07:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 31/12/2002 07:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 31/12/2002 07:00:00 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 31/12/2002 07:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 31/12/2002 07:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 31/12/2002 07:00:00 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 31/12/2002 07:00:00 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 31/12/2002 07:00:00 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 31/12/2002 07:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 31/12/2002 07:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 31/12/2002 07:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/06/2005 06:59:30 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/06/2005 23:57:10 1609 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk.disabled

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/06/2005 07:48:34 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/06/2005 06:59:30 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/06/2005 07:48:34 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}
ST = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF4E223-7019-4ce7-BE03-D7D3C8CCE884}
IEWebCatcher Class = C:\Program Files\DNS\Catcher.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN : C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}
ButtonText = ComcastHSI : http://www.comcast.net/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8828075D-D097-4055-AA02-2DBFA9D85E8A}
ButtonText = Support : http://www.comcastsupport.com/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{97809617-3937-4F84-B335-9BB05EF1A8D4}
ButtonText = Help : http://online.comcast.net/help/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
MSWheel
kmw_run.exe kmw_run.exe
MessengerPlus3 "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

digital-ink
2006-02-10, 23:39
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/02/2006 16:29:07

Metallica
2006-02-11, 00:03
Oops. I missed one.

Fix this one as well:
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll (file missing)

Then
*click here (http://www.geekstogo.com/modules.php?modid=5&action=download&id=4) to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\SYSTEM32\6l6cuah9.ini
C:\WINDOWS\SYSTEM32\kcse04tk.ini
C:\WINDOWS\SYSTEM32\kkhe9l2p.ini
C:\WINDOWS\SYSTEM32\Tqzdtlk1.xml

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the computerv reboot and find this folder:
C:\Program Files\DNS

Delete it if it is still present.

Let me know how the computer behaves then.

digital-ink
2006-02-11, 02:11
tried everything you said, but it didnt work. i'm still infected. one thing i did notice though was even when i check and click fix checked on

"O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)"

it doesnt remove it from the log.

Metallica
2006-02-11, 12:42
That entry is not related, but try this please.

Click Start > Run type services.msc > OK
In the list of services find:
iPod Service (iPodService)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: iPodService

Then reboot and post a new HijackThis log.
Also post a new WinPFind log.

digital-ink
2006-02-12, 20:39
i'm not sure if this is related as well but when i was in the services list i came across one called dns client (domain name system) not sure if its normal to be there or apart of that dns directory i had to delete.

digital-ink
2006-02-12, 21:04
Logfile of HijackThis v1.99.1
Scan saved at 1:42:22 PM, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Compaq\Desktop\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Exif Launcher.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {44710E5B-1B9A-4368-BB18-82B74ACEAC8A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C45ED0E9-8943-4319-9971-479C4BA36078} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DDCF7B3A-8D48-4A05-98F2-7CD51C478124} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

digital-ink
2006-02-12, 21:06
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 31/12/2002 07:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 26/10/2004 17:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 26/10/2004 17:38:24 716800 C:\WINDOWS\SYSTEM32\DivX.dll
SAHAgent 21/06/2005 15:42:20 35 C:\WINDOWS\SYSTEM32\kcse04tk.ini
SAHAgent 21/06/2005 15:42:20 35 C:\WINDOWS\SYSTEM32\kkhe9l2p.ini
PTech 12/07/2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 04/01/2006 22:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/01/2006 22:41:02 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 31/12/2002 07:00:00 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 31/12/2002 07:00:00 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
FSG! 21/06/2005 15:37:30 398742 C:\WINDOWS\SYSTEM32\Tqzdtlk1.xml
winsync 31/12/2002 07:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 16/01/2006 15:42:28 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/02/2006 13:45:22 S 2048 C:\WINDOWS\bootstat.dat
12/02/2006 13:42:38 H 24 C:\WINDOWS\pogwG
10/02/2006 17:44:50 H 54156 C:\WINDOWS\QTFont.qfn
10/02/2006 17:24:02 HS 7680 C:\WINDOWS\Thumbs.db
02/01/2006 18:09:36 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
12/02/2006 13:45:12 H 8192 C:\WINDOWS\system32\config\default.LOG
12/02/2006 13:45:48 H 1024 C:\WINDOWS\system32\config\SAM.LOG
12/02/2006 13:45:24 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
12/02/2006 13:46:52 H 65536 C:\WINDOWS\system32\config\software.LOG
12/02/2006 13:45:30 H 856064 C:\WINDOWS\system32\config\system.LOG
12/01/2006 15:35:02 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
14/01/2006 09:58:20 S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
14/01/2006 09:58:16 S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
14/01/2006 09:58:20 S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
14/01/2006 09:58:16 S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
01/01/2006 00:45:28 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\7e668dc6-e71d-4607-8b40-a7c96efe562b
01/01/2006 00:45:28 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
12/02/2006 13:44:22 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 31/12/2002 07:00:00 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 31/12/2002 07:00:00 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 31/12/2002 07:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 31/12/2002 07:00:00 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 31/12/2002 07:00:00 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 31/12/2002 07:00:00 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 26/08/2005 18:14:42 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 31/12/2002 07:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 31/12/2002 07:00:00 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 31/12/2002 07:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 31/12/2002 07:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 31/12/2002 07:00:00 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 31/12/2002 07:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 31/12/2002 07:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 31/12/2002 07:00:00 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23/09/2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 31/12/2002 07:00:00 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 31/12/2002 07:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 31/12/2002 07:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 31/12/2002 07:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 31/12/2002 07:00:00 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 31/12/2002 07:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 31/12/2002 07:00:00 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 31/12/2002 07:00:00 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 31/12/2002 07:00:00 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 31/12/2002 07:00:00 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 31/12/2002 07:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 31/12/2002 07:00:00 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 31/12/2002 07:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 31/12/2002 07:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 31/12/2002 07:00:00 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 31/12/2002 07:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 31/12/2002 07:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 31/12/2002 07:00:00 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 31/12/2002 07:00:00 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 31/12/2002 07:00:00 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 31/12/2002 07:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 31/12/2002 07:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 31/12/2002 07:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/06/2005 06:59:30 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/06/2005 23:57:10 1609 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk.disabled

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/06/2005 07:48:34 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/06/2005 06:59:30 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/06/2005 07:48:34 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

digital-ink
2006-02-12, 21:07
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}
ST = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN : C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669B269B-0D4E-41FB-A3D8-FD67CA94F646}
ButtonText = ComcastHSI : http://www.comcast.net/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{8828075D-D097-4055-AA02-2DBFA9D85E8A}
ButtonText = Support : http://www.comcastsupport.com/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{97809617-3937-4F84-B335-9BB05EF1A8D4}
ButtonText = Help : http://online.comcast.net/help/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
MSWheel
kmw_run.exe kmw_run.exe
MessengerPlus3 "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/02/2006 13:54:52

Metallica
2006-02-12, 21:35
Something is recreating those files.

Can you please donwload and install RootKitRevealer from:
http://www.sysinternals.com/Utilities/RootkitRevealer.html

Close as many programs as possible and run it. Post the resulting log please.

digital-ink
2006-02-12, 23:14
HKLM\S-1-5-21-1214440339-746137067-1060284298-1003\Software\CoPPnA3EIW8D 12/10/2005 13:41 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\CLSID\{1B35F811-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{10ed2d83-f16f-0348-2000-8c26b23e9a26}\22 05/12/2005 12:10 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\CoPPnA3EIW8D 06/02/2006 00:43 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPNUPS 27/11/2005 07:14 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\IpNUPS 12/02/2006 13:56 0 bytes Hidden from Windows API.
C:\Program Files\Broetget 12/02/2006 13:22 0 bytes Hidden from Windows API.
C:\Program Files\Broetget\ace.dll 27/11/2005 07:14 568.00 KB Hidden from Windows API.
C:\Program Files\Broetget\AI_06-02-2006.log 06/02/2006 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\AI_07-02-2006.log 07/02/2006 10:24 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\AI_08-02-2006.log 08/02/2006 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\AI_09-02-2006.log 09/02/2006 09:21 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\AI_10-02-2006.log 10/02/2006 15:09 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\AI_11-02-2006.log 11/02/2006 01:23 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\AI_12-02-2006.log 12/02/2006 13:22 3 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache 12/02/2006 15:46 0 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000001c_43e6d7e0_00077c2c 06/02/2006 00:00 7.38 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000001c_43e952ee_00053f6e 07/02/2006 21:09 31.28 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000001c_43e9704b_00000926 07/02/2006 23:15 1.12 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000001c_43ebd3f0_0005bac8 12/02/2006 15:44 68.81 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000001c_43ebee57_0002813c 09/02/2006 20:37 127.15 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_438c645c_0001e06c 12/02/2006 13:58 711 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_438da900_000f16d1 12/02/2006 13:26 471 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43b0cf4c_000305b1 31/01/2006 10:00 485 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43b6fdd7_00079e46 12/02/2006 15:44 4.86 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43c524a0_0007b930 14/01/2006 19:46 20.47 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43c7b9db_0005dcd8 21/01/2006 01:42 18.22 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43c91190_0003c9cc 14/01/2006 09:58 3.52 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43cd37dd_00066554 21/01/2006 01:37 20 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43cea29e_000d3aa0 18/01/2006 15:18 227.82 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43cfd78a_000ce473 19/01/2006 13:16 1.94 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43d06b1e_000b062e 19/01/2006 23:46 288 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43d10ae9_000dc693 08/02/2006 17:50 4.52 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43df7879_00011ea6 31/01/2006 09:47 9.78 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43df7b20_0005a5f3 08/02/2006 15:13 370.71 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43e00fdb_0000710e 31/01/2006 20:33 9.78 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43e22567_000868d6 02/02/2006 10:29 974 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43e3cad4_000a7558 03/02/2006 16:27 227.31 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43e63359_0003e838 05/02/2006 12:18 18.92 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43e8bbd9_00079e93 07/02/2006 10:25 4 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43e9fb5b_0004f031 08/02/2006 09:08 405 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ea7656_000ced43 08/02/2006 17:53 876 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43eabc50_000578a4 12/02/2006 13:26 287 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43eb758f_000ae5bb 09/02/2006 12:02 217.30 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ecf330_00007cc8 10/02/2006 15:10 4.06 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ed0639_000319e3 10/02/2006 16:31 4.06 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ed1253_0005432c 10/02/2006 17:23 4.08 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43edde02_00076b86 11/02/2006 07:52 62.80 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ef7d41_00021c84 12/02/2006 13:24 876 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ef8161_0007aa56 12/02/2006 13:41 4.27 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000029_43ef85de_0006f13c 12/02/2006 14:01 76.75 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43c85faa_000901dc 13/01/2006 21:19 245 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43cc2d66_0007f0b9 16/01/2006 18:33 883 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43cf0851_00053ab9 18/01/2006 22:32 10.83 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43cfdb3d_0006a74e 19/01/2006 13:32 699 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43d11ecf_0008f599 20/01/2006 12:33 16.32 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43e41650_00055ceb 03/02/2006 21:49 8.55 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43e68792_00046a13 05/02/2006 18:17 426 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43e8c2d3_00088204 07/02/2006 10:54 718 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43ea56e8_000c9711 08/02/2006 15:39 60.28 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43ea9261_000469f0 08/02/2006 19:52 56.23 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000035_43ed4061_00032bfb 10/02/2006 20:39 129.97 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000003a_43cc6dc8_0001858c 16/01/2006 23:08 436 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000003a_43e96fd3_000cfc43 07/02/2006 23:13 1.77 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000007b_43cc32c3_000e9390 16/01/2006 18:56 10.65 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000007b_43d06553_000bdc7c 19/01/2006 23:21 256 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000007b_43d1db58_000a350c 21/01/2006 01:57 359 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000007b_43e698ab_0008e773 05/02/2006 19:30 50.76 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000007b_43e8d4b1_000b0fa6 07/02/2006 12:11 4.73 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000007b_43ebb642_000bc274 09/02/2006 16:38 777 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008c_43cc31d0_000b121c 16/01/2006 18:52 98.30 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008c_43d06289_00009aae 19/01/2006 23:09 36 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008c_43d1d7bd_0005f8a4 21/01/2006 01:42 4.23 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008c_43e697fb_00090289 05/02/2006 19:27 6.42 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008c_43e8c5ff_000606b9 07/02/2006 11:08 237 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008c_43ebb624_000eebac 09/02/2006 16:37 797 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008e_4393878c_0006d6a1 04/12/2005 19:19 25.48 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008e_43cc3180_00075391 16/01/2006 18:51 112.66 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008e_43d061a5_000ed924 19/01/2006 23:05 1.12 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008e_43e696e8_00056990 05/02/2006 19:23 1.77 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008e_43e8c5e4_000aa0e3 07/02/2006 11:08 239 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\0000008e_43ebb50c_000f2fa9 09/02/2006 16:33 1.01 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000094_43e96f03_000a8dec 07/02/2006 23:09 33.80 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000094_43ebec8a_0009a488 09/02/2006 20:29 34.06 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43a5dff1_00036e03 07/02/2006 12:11 887 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43b9d306_00031c7e 13/01/2006 21:18 459 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43bd8c42_000b2c7e 03/02/2006 19:05 594 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43c66c27_00089f00 06/02/2006 00:00 2.05 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43c94446_000cc2d9 14/01/2006 13:34 1.46 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43cc2b78_0009285b 16/01/2006 18:25 789 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43cd92f5_000732c1 31/01/2006 09:57 659 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43cee76e_0002ffe0 18/01/2006 20:16 13.20 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43d06c41_00024a4c 19/01/2006 23:51 893 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43d10e07_0006dc53 20/01/2006 11:21 5.24 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43e11eb3_000e2df1 01/02/2006 15:48 1009 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43e24034_0004fb24 02/02/2006 12:24 9.78 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43e3ef29_000a5e94 03/02/2006 19:02 2.10 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43e63390_00028493 05/02/2006 12:19 896 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43e8bc47_00059ae1 07/02/2006 10:27 777 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43ea76c6_00017b74 08/02/2006 17:55 2.30 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43eabdd4_000bdb7b 08/02/2006 22:58 23.08 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43ed1035_000b9656 10/02/2006 17:14 585 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43ed1351_000d70f1 10/02/2006 17:27 417 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000099_43ee418b_0001756b 11/02/2006 14:56 417 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43c9aa36_0001aba1 14/01/2006 20:49 1.77 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43cc2fb0_00047744 16/01/2006 18:43 597 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43cf0c47_00055a41 18/01/2006 22:49 5.62 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43d13e1a_000015c9 20/01/2006 14:46 1.13 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43e417ee_000943a1 03/02/2006 21:56 1.77 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43e6907f_000d8441 05/02/2006 18:55 50.51 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43e8c393_00084b93 07/02/2006 10:58 573 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43ea71ba_000bde84 08/02/2006 17:33 2.86 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000c1_43eb82e0_0006ccf6 09/02/2006 12:58 437 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000e5_43ec0e66_0001256b 09/02/2006 22:54 1.77 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43c70543_000a034b 13/01/2006 21:12 921 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43cc31ac_0001e014 16/01/2006 18:52 0 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43d0625f_000f1d6c 19/01/2006 23:09 705 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43d1d75b_0003d164 21/01/2006 01:40 805 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43e69754_00099e7c 05/02/2006 19:24 11.16 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43e8c5f7_000712ac 07/02/2006 11:08 5.38 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000eb_43ebb537_0002af16 09/02/2006 16:33 4.67 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000f8_43e97ed3_000b062b 08/02/2006 00:17 58.43 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\000000f8_43ebf5b3_00064f86 09/02/2006 21:08 4.37 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43bbdbe3_00011bd8 01/02/2006 15:51 0 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43c83147_0003e1c6 13/01/2006 18:01 11.06 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43c946da_000f30f8 14/01/2006 13:45 539 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43cc2bb0_000c38c8 16/01/2006 18:26 1.44 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43cdb00a_00068439 17/01/2006 22:03 237 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43cee7bb_0001c9be 18/01/2006 20:13 651 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43cfd9b8_000ec320 19/01/2006 13:26 20.54 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43d0705c_00038831 20/01/2006 00:08 221 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43df7e06_0008cf7c 31/01/2006 10:11 395 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43e014dd_000d0631 31/01/2006 20:54 125 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43e11f29_000a81d3 01/02/2006 15:50 250 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43e3efb9_0006f679 03/02/2006 19:05 699 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43e676ca_0009f4bc 05/02/2006 17:06 0 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43e8bc7e_00057030 10/02/2006 17:28 437 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43ea0521_000c3ce4 08/02/2006 09:50 3.82 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43ea7767_000b9730 08/02/2006 17:57 65.06 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43eabf1e_000b9ee9 08/02/2006 23:03 8.69 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43eb77d9_00079364 09/02/2006 12:11 699 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43ecf7aa_00066a11 10/02/2006 15:29 28.71 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43ed14cc_0006f24c 10/02/2006 17:33 169 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43ee71ad_00016e3e 11/02/2006 18:22 820 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000120_43ef8a88_00044c0b 12/02/2006 14:20 590 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43b72064_0004d836 10/02/2006 17:53 15.00 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43b9d306_000f07c1 13/01/2006 21:18 459 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43c94447_00015291 14/01/2006 13:34 3.50 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43cc2b7a_00025343 16/01/2006 18:25 138.58 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43cd92f5_00092f4c 31/01/2006 09:57 660 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43cee773_00062a60 21/01/2006 01:37 20.49 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43cfd896_000e3263 19/01/2006 13:21 10.81 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43d06c42_0006e57c 19/01/2006 23:51 600 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43d10e07_00099c76 20/01/2006 11:21 5.23 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43df7b70_000cc11b 31/01/2006 10:00 549 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43e11eb4_0002bda9 01/02/2006 15:48 418 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43e3ef2e_000c7740 03/02/2006 19:02 405 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43e63390_0005e130 05/02/2006 12:19 1.22 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43e8bc47_000ca258 07/02/2006 10:27 1.01 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43e9fbe3_000d9496 08/02/2006 09:10 6.03 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43ea76c6_0006ad7e 08/02/2006 17:55 1.63 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43eabdd5_000b1d83 08/02/2006 22:58 4.81 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43eb76bf_00002831 09/02/2006 12:07 1.78 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00000124_43ecf667_000bd8ee 10/02/2006 15:24 1.29 KB Hidden from Windows AP

digital-ink
2006-02-12, 23:16
the list is about 10 times this big but it is all from the same directory, a little over 7000 items

digital-ink
2006-02-13, 00:06
these files were alittle bit diff at the bottem of the list so i want to add them to;

C:\Program Files\Broetget\Cache\00007ff5_43eb779f_000d7bb9 09/02/2006 18:31 744 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00007ff5_43ecf769_000438d9 10/02/2006 15:28 1.58 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00007ff5_43ed10e9_000266a0 10/02/2006 17:17 1.12 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\00007ff5_43ee719e_000dc8b9 11/02/2006 18:22 575 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\00007ff5_43ef8a80_0007c9e4 12/02/2006 14:20 915 bytes Hidden from Windows API.
C:\Program Files\Broetget\Cache\dns 12/02/2006 15:48 127.61 KB Hidden from Windows API.
C:\Program Files\Broetget\Cache\index 12/02/2006 15:48 1.38 MB Hidden from Windows API.
C:\Program Files\Broetget\data.bin 27/11/2005 07:14 114.94 KB Hidden from Windows API.
C:\Program Files\Broetget\dx7tplug.exe 27/11/2005 07:14 164.00 KB Hidden from Windows API.
C:\Program Files\Broetget\getdsdmo.exe 12/01/2006 09:21 912.00 KB Hidden from Windows API.
C:\Program Files\Broetget\WinGenerics.dll 27/11/2005 07:14 576.00 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\usbncmac.sys 27/11/2005 07:14 12.00 KB Hidden from Windows API.
C:\WINDOWS\system32\srcbcbcp.exe 27/11/2005 07:14 488.00 KB Hidden from Windows API.

Metallica
2006-02-13, 10:53
Please download and run BlackLight from:
http://www.f-secure.com/blacklight/

Have it rename these two files:
C:\Program Files\Broetget\WinGenerics.dll
C:\WINDOWS\system32\drivers\usbncmac.sys

Post a new HijackThis log after a reboot.
Please don't delete any files yet. I may need samples.

digital-ink
2006-02-13, 16:46
i want to thank you for all the time your taking to help me with this. it seems like this rabbit hole keeps getting deeper and deeper.

Logfile of HijackThis v1.99.1
Scan saved at 9:40:05 AM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Compaq\Desktop\highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Exif Launcher.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {44710E5B-1B9A-4368-BB18-82B74ACEAC8A} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Help - {C45ED0E9-8943-4319-9971-479C4BA36078} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {DDCF7B3A-8D48-4A05-98F2-7CD51C478124} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Metallica
2006-02-13, 17:32
It sure is. Not even a rabbit anymore. More like a dirty mean ole wolf.

Can you please surf to:
http://www.thespykiller.co.uk/forum/index.php?topic=5.0
Follow the instructions there to upload:
C:\Program Files\Broetget\WinGenerics.dll <= renamed
C:\WINDOWS\system32\drivers\usbncmac.sys <= renamed
C:\Program Files\Broetget\dx7tplug.exe
C:\Program Files\Broetget\getdsdmo.exe
C:\WINDOWS\system32\srcbcbcp.exe

We will have to sort the mess out, but I would urgently advise you to change all the passwords that you have stored on that computer.
There is no way of telling what was installed on and/or stolen from your computer, but this sort of rootkit usually doesn't get installed without doing any harm.

digital-ink
2006-02-13, 18:37
i'm not sure if they uploaded right, because the files are hidden from windows i can't use the browse button so i typed in the directory. i'm also changing all my passwords now

Metallica
2006-02-13, 20:55
They didn't get uploaded.

If they are still hidden, then the rootkit is probably still active.
Can you run BlackLight again and have it rename the other files as well?

Let me know if they show up then.

Metallica
2006-02-13, 21:11
Just for your information.

The path to the renamed files will be:
C:\Program Files\Broetget\WinGenerics.dll.ren
C:\WINDOWS\system32\drivers\usbncmac.sys.ren
C:\Program Files\Broetget\dx7tplug.exe.ren
C:\Program Files\Broetget\getdsdmo.exe.ren
C:\WINDOWS\system32\srcbcbcp.exe.ren

digital-ink
2006-02-14, 05:37
well i ran BlackLight again and renamed all of those files, after reboot the C:\Program Files\Broetget directory was still hidden. I reran BlackLight and it found all the same files again including the ones that should have been renamed. I tried renaming them again along with some of those cache files and again on reboot nothing.

on a side note, while coming to the forum to post this, i got a "Visual C++ Runtime Error" and in the error box it was from c:\program files\broetget\getdsdmo.exe

Metallica
2006-02-14, 11:08
:scratch:

Although I'm leaning towards advising you to reformat the computer, there is one thing we can try?
Do you have the XP install CD ot bootdisks we can use to operate from outside Windows?

digital-ink
2006-02-16, 23:36
sorry it took so long to get back to you i was out of town a couple days. i too was thinking about reformating but i was finally able to remove the root kit. what i had to do was after running black light i had to reboot in safe mood so i could see the directory. unfortunatly i deleted the directory before i realized i needed to save a few of the files for you to look at. however after that i was able to find the two files in the windows/system32 back in normal mode. i used blacklight to rename them again becuase it said they were hidden, rebooted and found them and uploaded them for you to look at. maybe you can figure out what they do?? thanks again for all your help!!!

jack

Metallica
2006-02-17, 21:33
Hi Jack,

Nice job you did to find that out.

The scanresults for the files you uploaded:
"usbncmac.sys"
AntiVir 6.33.1.50 02.17.2006 TR/Rootkit.SMA.A
Avast 4.6.695.0 02.16.2006 Win32:Trojano-3087
Avira 6.33.1.50 02.17.2006 TR/Rootkit.SMA.A
eTrust-InoculateIT 23.71.78 02.17.2006 Win32/Smamate!Trojan
eTrust-Vet 12.4.2086 02.17.2006 Win32/Smamate
Kaspersky 4.0.2.24 02.17.2006 Rootkit.Win32.Agent.ao
McAfee 4700 02.17.2006 NTRootKit-R.gen
VBA32 3.10.5 02.17.2006 suspected of Rootkit.Agent.4

"SRCBCBCP.EXE"
CAT-QuickHeal 8.00 02.16.2006 (Suspicious) - DNAScan
eTrust-InoculateIT 23.71.78 02.17.2006 Win32/Propo!Trojan
eTrust-Vet 12.4.2086 02.17.2006 Win32/Propo
Kaspersky 4.0.2.24 02.17.2006 Trojan.Win32.Crypt.t
Panda 9.0.0.4 02.17.2006 Suspicious file

I'll see what else I can find out.

Metallica
2006-02-17, 23:56
illukka pointed this article out to me:
http://www.f-secure.com/sw-desc/apropos.shtml

The good news is, it is a relatively harmless rootkit. And there is a tool to remove it, which I knew existed, but I didn't recognize it. :rolleyes:

I must apologize to you since we could have closed this thread 2 pages ago if I had.

Sorry.

tashi
2006-02-22, 00:31
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.

Thanks Metallica. :)