View Full Version : HELP with DMSetup Trojan & Possibly Remote Storm
wordsmith
2006-08-25, 21:28
hello all...i'm new here, so i'll start at the beginning. i've had trouble with browser hijackers before, which my s&d and other software found....this time, though, my computer has been acting fine, aside from having trouble shutting down because a program that appeared out of nowhere keeps getting hung up...but on tuesday, i got a flash from my norton firewall (my norton anti-virus hasn't been updated since 2004 cuz i use the online trendmicro scan) saying "DEFAULT BLOCK DMSETUP TROJAN HORSE FROM ip: 59.28.211.101:1103" - i traced the ip address to korea, but that's as far as i got. apparently this trojan has been around for a while, although there was another "outbreak" of it in june, 2006.
after doing some research, i ran netstat.txt and found the following:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 69.244.253.97:123 *:*
UDP 69.244.253.97:137 *:*
UDP 69.244.253.97:138 *:*
UDP 69.244.253.97:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
the first thing i did was run a trendmicro scan, but nothing was caught. i then ran "stinger," but after several hours it still wasn't done & i had to do work, so i turned it off. then i ran "the cleaner," which was recommended by another web site i came across. the only thing it came up with was something called "EICAR Test File" found in: d:\local disk (f)\program files\network associates\mcafee virusscan\new_dats.txt
and
d:\local disk (f)\unzipped\spm-321e\whatsnew.txt
the next day i ran netstat.txt again and this is what it said:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 192.168.100.11:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.100.11:123 *:*
UDP 192.168.100.11:137 *:*
UDP 192.168.100.11:138 *:*
UDP 192.168.100.11:1900 *:*
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:4500 *:*
UDP 69.244.253.97:123 *:*
UDP 69.244.253.97:137 *:*
UDP 69.244.253.97:138 *:*
UDP 69.244.253.97:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
i blocked 127.0.0.1:123 (when i blocked 69.244.253.97, my internet stopped working, so i assume it's a necessary communication). i then ran spybot s&d and it just found one thing called "eAcceleration," which i had it delete. i'm really concerned because so far, nothing relating to DMSetup has been found and some of the open ports are suspicious. i read up on closing the netbios (port 445), as well as closing ports 135-139, but i've never done it before, so i don't know if it's wise. i got ahold of a list of the ports & their uses and some of my open ports are used for trojans (like 1025, which is used by Remote Storm)
finally, today, i ran adaware and it found 80 objects, most of which were just MRU's, but 6 were adware.pop (items in the registry - i'm assuming they're pop-ups), 8 were tracking cookies, 1 was "POSSIBLE BROWSER HIJACK ATTEMPT" and 1 was "WIN ANTIVIRUS PRO," which, after some research, i found is spyware.
here is my hijack this log....any help is greatly appreciated....
Logfile of HijackThis v1.99.1
Scan saved at 10:42:44 AM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.inspiredsilver.com
O15 - Trusted Zone: http://*.savinathompson.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NRFHJWRP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\NRFHJWRP.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
thank you in advance!!!
wordsmith
2006-08-25, 22:44
also, i just ran panda and it found 28 pieces of spyware (but it doesn't clean them!!! grrrrr)....it doesn't say what or where they are and the free version doesn't clean them, so i don't know how much to trust it....i'm really concerned about keyloggers, since i had 8 of them on my computer about 3 months ago...8!!!!
thank you again for any help...:(
Hello,
If you have not resolved the problem, we have this sticky topic:
If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
hi
locate the ewido anti-spyware icon on the desktop and double-click it to launch the program.
you will need to run ewido and update the definition files.
On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware
reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61).
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
Ewido will now begin the scanning process, be patient this may take a little time.
Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close ewido.
reboot back to normal mode, rescan with hiajckthis and post its report along with the ewido report
NOTE: the ewido report may be large, use several posts if necessary to incude everything in it
good luck
wordsmith
2006-09-05, 19:15
hi illukka,
i'm just about to follow your advice, but i thought i'd stop in first and say that this morning i've been alerted 3 times by my norton personal firewall that someone was trying to access my computer via UDP (inbound)...i don't know what that is, but it had a remote ip of:
64.120.238.166:17847 and the local ip was good ol' 69.244.253.97:1026 - that was the one i tried to block but my internet stopped working. i traced the remote ip address to teligent, inc. here's their homepage: http://www.teligent.com/teligent.nsf/Home
do you know what my next steps would be in terms of letting them know about the hacker?
hi
that looks like one of telingents ( thats a corporate ISP ) clients has a network worm. dont worry, your NIS firewall is more than capable of blocking those.
the network worm is performing port scans to find vulnerable computers with exploitable port 1026.
OrgName: Teligent, Inc.
OrgID: TGNT
Address: 460 Herndon Parkway
City: Herndon
StateProv: VA
PostalCode: 20170
Country: US
ReferralServer: rwhois://rwhois.tgnt.net:4321/
NetRange: 64.120.0.0 - 64.120.255.255
CIDR: 64.120.0.0/16
NetName: TGNT-BLK-3
NetHandle: NET-64-120-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: HERDNS004I0.TELIGENT.COM
NameServer: HERDNS003I0.TELIGENT.COM
NameServer: HERDNS002I0.TELIGENT.COM
NameServer: HERDNS001I0.TELIGENT.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-07-05
Updated: 2002-10-02
RTechHandle: IT45-ARIN
RTechName: Teligent, Inc.
RTechPhone: +1-888-411-1175
RTechEmail: support@tgnt.net
OrgNOCHandle: DNS1049-ARIN
OrgNOCName: DNS
OrgNOCPhone: +1-888-203-6492
OrgNOCEmail: dns@teligent.com
OrgTechHandle: IT75-ARIN
OrgTechName: Teligent DNS
OrgTechPhone: +1-888-203-6492
OrgTechEmail: dns@teligent.com
that doesnt list an abuse addy, so you could try contacting them otherwise
wordsmith
2006-09-06, 08:54
hi,
first, let me beging by saying thank you SOOO much for helping me with this...
second, i didn't get a chance to follow your steps until a couple of hours ago since i work on my computer all day. i literally got over 100 of those alert messages throughout the day and have blocked them every time, but i'm STILL getting them. after i followed your advice and rebooted my computer into normal mode, i got one that was different than the others...the port was completely different. here's what it said:
11:09 pm
Protocol: UDP (Inbound)
Remote Address: 192.168.100.11:bootpc(68)
Local Address: 255.255.255.255:bootps(67)
i did ip searches on some of the remote addresses that came up throughout the day & 1 of them was for my internet service provider (comcast) and another one was the one i told you about, telegent, inc. or something....
now i'm really worried because i've never gotten so many of these alerts.
anyway, here are the logs you requested:
EWIDO:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:58:23 PM 9/5/2006
+ Scan result:
D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\csband.dll -> Adware.Comet : Cleaned with backup (quarantined).
D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\csbho.dll -> Adware.Comet : Cleaned with backup (quarantined).
:mozilla.11:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.12:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.16:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.17:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.18:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.242:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.28:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.249:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.205:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc12.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.228:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.55:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.10:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.287:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.236:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.237:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.209:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.210:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.211:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.252:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.253:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.49:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.47:C:\RECYCLER\S-1-5-21-1387109402-2168910982-3102730107-1003\Dc10.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.194:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.195:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.288:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.289:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Netscape\NSB\Profiles\sjoaw4gc\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
::Report end
wordsmith
2006-09-06, 08:54
AND HERE'S THE LATEST HIJACK THIS LOG:
Logfile of HijackThis v1.99.1
Scan saved at 11:04:59 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\The Cleaner\tca.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\VIRUSES & TROJANS\ANTIVIRUS & SPYWARE\HijackThis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.inspiredsilver.com
O15 - Trusted Zone: http://*.savinathompson.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topproduceronline.com/Downloads/arview2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NRFHJWRP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\NRFHJWRP.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
(sigh)...ewido picked up something like 107 tracking cookies & 1 adware, but no malware...the other anti-spyware software i have, just fyi, is:
spybot s&d
cwshredder
winsockxpfix (never used)
mcafee sting (never used)
vx2finder (never used)
adaware
zls? (never used)
bhblaster (browser blaster) (never used)
cpuz (never used)
even as i write this i've gotten 4 of those warnings...
do you think i'll need to reformat? is there any way to castrate the idiots who create these things? i guess that's probably not your area of expertise, though. (cough).
thank you again for your help!!
wordsmith
2006-09-06, 09:00
also, i forgot to mention that today i was working on my web site with a tech guy from my hosting company & we found a really weird file stored in my file manager - i've never seen it before & the tech said it's definitely not from the company, but it was a web page that talked about networking to computers & it had all sorts of technical information and numerical sequences. unfortunately the tech guy accidentally deleted it, but it was called something like haan...i don't know if it has anything to do with this, but i thought i'd mention it.
wordsmith
2006-09-06, 21:17
hi again...a new development....i can search for pictures & music on my computer, but now, all of a sudden, i'm not able to search for files & folders. is there a way for me to just close the ports on my computer??
Download and Save Blacklight (https://europe.f-secure.com/blacklight/try.shtml) to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).
Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".
You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).
Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
wordsmith
2006-09-08, 07:22
i don't know if i did something wrong, but i don't see a "rename" option...i opened blacklight and got a dos window...i accepted the user agreement & it started scanning automatically for "hidden items" - while it was scanning i opened the .txt file, saw that it had a few things in it, then closed it since it was still scanning. the scan lasted about 10 minutes, then i left the room for about 2 minutes...when i came back, the dos window was gone. there isn't any "rename" option - it's just a .txt file & the dos window is completely gone. here's what's in the .txt file:
09/07/06 22:08:18 [Info]: BlackLight Engine 1.0.46 initialized
09/07/06 22:08:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/07/06 22:08:18 [Note]: 7019 4
09/07/06 22:08:18 [Note]: 7005 0
09/07/06 22:08:19 [Note]: 7006 0
09/07/06 22:08:19 [Note]: 7011 1488
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:34 [Note]: FSRAW library version 1.7.1019
09/07/06 22:15:49 [Note]: 7007 0
i don't know if it matters, but on the blacklight download page it says that the copy of blacklight will stop working on sept. 1st, 2006. i'm going to try to run it again to see if i interrupted it by opening the .txt file. if the contents change, i'll post them here. also, i turned on my windows firewall yesterday & stopped getting those warning messages...i didn't realize that it had been turned off (my nortons firewall was on though - that's what was giving me the warnings).
wordsmith
2006-09-08, 07:33
hi,
i didn't see the graphic interface option when i downloaded the software, so i downloaded that one this time & ran it....it says there are no hidden items found and i think the log is the same as the 1st one i posted, but here it is anyway:
09/07/06 22:08:18 [Info]: BlackLight Engine 1.0.46 initialized
09/07/06 22:08:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/07/06 22:08:18 [Note]: 7019 4
09/07/06 22:08:18 [Note]: 7005 0
09/07/06 22:08:19 [Note]: 7006 0
09/07/06 22:08:19 [Note]: 7011 1488
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:19 [Note]: 7026 0
09/07/06 22:08:34 [Note]: FSRAW library version 1.7.1019
09/07/06 22:15:49 [Note]: 7007 0
wordsmith
2006-09-08, 07:40
sorry i didn't mention this to begin with, but i have 2 harddrives on my computer (i might have a 3rd, i'm not sure - sorry, i don't know anything about hard drives)...i have Presario (C:), Local Disk (D:) and Presario_RP (E:)
also, the former friend who set up my computer for me set up an "owner" and an "administrator" - i can't see that when i turn on my computer normally, but when i start it in safe mode, it gives me the option of going into the "owner" account or the "administrator" account.
wordsmith
2006-09-08, 08:23
sorry to keep posting, but i keep finding more information...
i just went into my norton firewall & looked under the "statistics," "view logs" area...i went into the "system" file and found that as of august 12th (the 1st entry it has in there - it looks like it deletes entries older than a month), it's started logging the following just about every day:
NIS is protecting your connnection to a newly detected network on adapter "VIA Rhine II Fast Ethernet Adapter - Packet Scheduler Miniport" (IP address: 24.130.71.118)
i don't have my computer networked to anyone...it's the only computer in the house.
THEN, as of 8-21-06, it started logging the same thing, but this time for my old friend, IP address 69.244.253.97 - both ip addresses are in the log up through sept. 6th (along with a 3rd IP address, 192.168.100.11, which came along on 8-23-06) THEN ON SEPT. 6TH IT SAYS:
Firewall setting "Total Network Disconnect" changed
then the user logged off & the following day the "NIS is protecting your connection to a newly detected network, blah blah blah" message is back
UNDER THE "THREAT ALERTS" FILE, THERE ARE LITERALLY ABOUT 100 ENTRIES, BEGINNING WITH MAY OF 2005 FOR 2 THREATS:
W32.Netsky.P@mm!enc (also W32.Netsky.P@mm) and
Spyware.Webhancer
For both of those threats, every entry says either "Delete Failed," "Access denied" or "Repair Failed"
is it possible that my ip address has changed since the last time i saw it a few months ago and the 69.244.253.97 is mine? my name is next to it in the "connections" (although there are also a bunch of "Local Host" connections as well). if that's the case, though, then why is it that when i blocked all of those connections yesterday, i was still able to access the internet? anyway, hopefully something in all of this info was helpful in figuring this out. please let me know if you need any other info.
hi
sorry for the late reply. i do have a work and a family too
there are no signs of malware in your logs so far
open hijackthis, click do a system scan only
checkmark these lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: NRFHJWRP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\NRFHJWRP.exe6:54 14.9.2006
then close all other programs and browser windows, except for hiajckthis
and click fix checked
reboot
I need you to download MWav (http://www.mwti.net/download/tools/mwav.exe) to a convenient location.
This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
Memory
Startup Folders
Drive - All Local Drives
Folder - then click "browse" to change the directory to C: (default is C:\Windows)
Registry
System Folders
Services
Include Sub-Directory
Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.
**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.
On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
also
Download WindPFind (http://www.bleepingcomputer.com/files/winpfind.php)
Extract WinPFind.zip to your c:\ folder.
Reboot your computer into Safe Mode
Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
so post the mwaw scan log, winpfind log and a fresh hiajckthis log
How is it going wordsmith :)
wordsmith
2006-09-22, 05:48
hi,
i'm sorry for disappearing - i was away this week....i'll take the steps that you suggested tonight...i'll just let it run on the computer while i'm sleeping.
i just got an alert from my norton firewall saying that ip address 0.239.13.14 tried to make contact with my computer (i was just reading a bulletin board message - hadn't done anything unusual). it said it was characteristic of an "INVALID SOURCE ID" ATTACK.
thank you for the help - i'll let you know how it goes with your suggestions!
yep norton does alert a lot..
good news is that your norton firewall is very good, and it can block these attacks easily :laugh: if those even are real attacks. i usually refer those as internet background noise
i am not too familiar with its settings, but there should be something to lessen the amount of alerts..in the settings of it
wordsmith
2006-09-22, 17:27
okay, it's been scanning for over 9 hours (only 1 of my 3 hard drives so far), so this might take all weekend, but here's what the mwantivirus toolkit has found so far:
Object "minibug Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "elite toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\COMAdmin.DirectSoundFXCompressorPage.1" refers to invalid object "{062722AB-E8CC-4D2D-F56C-2BBC14813B4B}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SNDSrvc.LocationAwareness" refers to invalid object "{5705911C-A065-4568-9B45-E88F240963D9}". Action Taken: No Action Taken.
Entry "HKCR\SNDSrvc.LocationAwareness.1" refers to invalid object "{5705911C-A065-4568-9B45-E88F240963D9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjblaunch.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmfwlaunch.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\bbfe\director\director2.htm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMRadioEngine.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\WINDOWS\System32\SNDefs.dat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\Favorites\Financial Links\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\clippit.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\logo.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\LOGO.ACT". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".39". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".641". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".675". Action Taken: No Action Taken.
CONTINUED IN NEXT MSG
wordsmith
2006-09-22, 17:28
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".acc". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".art". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".big". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cdsingle". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".com/Savina/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cue". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".desert". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".detail". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".door". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".esl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gwp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ind". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".indd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".LDT". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".M". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".net". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pmo". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".postcard". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".properties". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sav". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sbk". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sharpstudios[1]". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".vsd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".yahoo[1]". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AOL Uninstaller". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ieupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB821557". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823182". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823559". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824105". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824141". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824146". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB825119". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828028". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828035". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828741". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB833407". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB835732". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB837001". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839643-DirectX9". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839645". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840315". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840374". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB841873". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB842773". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.3)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.4)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.6)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSPUB5". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "oeupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Plaxo". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q327979". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q328310". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329048". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329112". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329115". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329170". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "q329256". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329390". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329441". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329834". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329909". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q331953". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q331958". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810565". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810577". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810833". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q811493". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q811789". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814033". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814995". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q815021". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q815485". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817287". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817606". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q828026". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Rock and Roll JEOPARDY!". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Display". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Gamma2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Info2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Overlay". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ScreensaversInstaller". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1A655D51-1423-48A3-B748-8F5A0BE294C8}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{45EBDA59-D33B-433A-956E-B2F236468B56}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-000000000001}". Action Taken: No Action Taken.
it seemed to find a lot when it was scanning the registry...
i'll post the rest when it's done...
thank you!
wordsmith
2006-09-23, 03:32
hi,
i just got home from work - i left it running all day while i was gone...anyway, it found a LOT of viruses, worms, trojan downloaders, keyloggers & a couple of browser hijackers, but from what i can tell, they're all quarantined in norton, so they shouldn't pose a problem, should they? anyway, here's the log broken down:
Object "minibug Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "cws.datanotary Browser Hijacker" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.sidefinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "elite toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
wordsmith
2006-09-23, 03:34
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "xrenoder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\COMAdmin.DirectSoundFXCompressorPage.1" refers to invalid object "{062722AB-E8CC-4D2D-F56C-2BBC14813B4B}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SharePoint.WebPartPage.Document.1.0" refers to invalid object "{388ED91D-7FD2-11D0-A60B-00A0C90A43FF}". Action Taken: No Action Taken.
Entry "HKCR\SNDSrvc.LocationAwareness" refers to invalid object "{5705911C-A065-4568-9B45-E88F240963D9}". Action Taken: No Action Taken.
Entry "HKCR\SNDSrvc.LocationAwareness.1" refers to invalid object "{5705911C-A065-4568-9B45-E88F240963D9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjblaunch.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmfwlaunch.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\Program Files\HP\Digital Imaging\bbfe\director\director2.htm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjbctrl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMFWCtrl.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMRadioEngine.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "c:\WINDOWS\System32\SNDefs.dat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\Favorites\Financial Links\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\clippit.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\CLIPPIT.ACT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Shared Tools\logo.act" refers to invalid object "C:\Program Files\Microsoft Office\Office\Actors\LOGO.ACT". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".39". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".641". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".675". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".acc". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".art". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".big". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cdsingle". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".com/Savina/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cue". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".desert". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".detail". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".door". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".esl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gwp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ind". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".indd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".LDT". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".M". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".net". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pmo". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".postcard". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".properties". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sav". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sbk". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sharpstudios[1]". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".vsd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".yahoo[1]". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AOL Uninstaller". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ieupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB821557". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823182". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823559". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824105". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824141". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824146". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB825119". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828028". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828035". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828741". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB833407". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB835732". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB837001". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839643-DirectX9". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839645". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840315". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840374". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB841873". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB842773". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.3)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.4)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.5.0.6)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSPUB5". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "oeupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Plaxo". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q327979". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q328310". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329048". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329112". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329115". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329170". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "q329256". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329390". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329441". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329834". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329909". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q331953". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q331958". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810565". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810577". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810833". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q811493". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q811789". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814033". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814995". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q815021". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q815485". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817287". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817606". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q828026". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Rock and Roll JEOPARDY!". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Display". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Gamma2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Info2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "S3Overlay". Action Taken: No Action Taken.
wordsmith
2006-09-23, 03:35
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ScreensaversInstaller". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1A655D51-1423-48A3-B748-8F5A0BE294C8}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{45EBDA59-D33B-433A-956E-B2F236468B56}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-000000000001}". Action Taken: No Action Taken.
File C:\hp\bin\KillWind.exe tagged as not-a-virus:RiskTool.Win32.PsKill.p. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02891BE8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02CE5F9C.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\030E3D00.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\03A000A8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\040676AF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\046B1D42.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\059E4ECE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\07EA3F7F tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08D967BC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08EF0DA3.dll infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08F6619B.tmp infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09005F91.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0903098D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0906338A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0906338A.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\090A5D86.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\090D0782.exe infected by"Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0910317F.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0910317F.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.File C:\Program Files\Norton AntiVirus\Quarantine\09135B7B.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09135B7B.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09170578.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\091A2F74.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\091D5970.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\091D5970.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0920036D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0920036D.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09242D69.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09242D69.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09275766.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09275766.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\092A0162.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09A63CD9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09AA66D6.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09AA6DE4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09AD10D2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B03ACF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B03ACF.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B364CB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B364CB.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B70EC7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09BA38C4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09BA38C4.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09BD62C0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09C00CBD.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09C436B9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09C760B5.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CA0AB2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CE34AE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CE34AE.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CE34AE.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D15EAB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D15EAB.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D408A7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D408A7.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D732A4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09EF3198.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D9F1B3A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0EA75DDB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F303CA7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F9632AE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0FA62DD3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\109411D3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10A57DCA.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10CA3FE0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\110F0394.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\112F0ACC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\119500D4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\11A44DC2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\12A31DBA.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14F433C9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\16FF042B.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\17EA11DB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\182F5590.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1B276EAD.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1CBC0663.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1CBF46CB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1D253CD2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F0A63D7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\211C285A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2285013E.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\22BE77B8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ScreensaversInstaller". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1A655D51-1423-48A3-B748-8F5A0BE294C8}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{45EBDA59-D33B-433A-956E-B2F236468B56}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-000000000001}". Action Taken: No Action Taken.
File C:\hp\bin\KillWind.exe tagged as not-a-virus:RiskTool.Win32.PsKill.p. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02891BE8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\02CE5F9C.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\030E3D00.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\03A000A8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\040676AF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\046B1D42.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\059E4ECE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\07EA3F7F tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08D967BC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08EF0DA3.dll infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\08F6619B.tmp infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09005F91.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0903098D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0906338A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0906338A.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\090A5D86.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\090D0782.exe infected by"Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0910317F.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0910317F.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.File C:\Program Files\Norton AntiVirus\Quarantine\09135B7B.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09135B7B.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09170578.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\091A2F74.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\091D5970.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\091D5970.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
wordsmith
2006-09-23, 03:39
File C:\Program Files\Norton AntiVirus\Quarantine\0920036D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0920036D.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09242D69.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09242D69.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09275766.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09275766.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\092A0162.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09A63CD9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09AA66D6.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09AA6DE4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09AD10D2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B03ACF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B03ACF.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B364CB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B364CB.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09B70EC7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09BA38C4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09BA38C4.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09BD62C0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09C00CBD.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09C436B9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09C760B5.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CA0AB2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CE34AE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CE34AE.pif infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09CE34AE.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D15EAB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.File C:\Program Files\Norton AntiVirus\Quarantine\09D15EAB.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D408A7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D408A7.scr infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09D732A4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\09EF3198.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0D9F1B3A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0EA75DDB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F303CA7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0F9632AE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0FA62DD3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\109411D3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10A57DCA.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\10CA3FE0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\110F0394.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\112F0ACC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\119500D4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\11A44DC2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\12A31DBA.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14F433C9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\16FF042B.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\17EA11DB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\182F5590.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1B276EAD.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1CBC0663.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1CBF46CB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1D253CD2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F0A63D7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\211C285A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2285013E.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\22BE77B8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
wordsmith
2006-09-23, 03:40
File C:\Program Files\Norton AntiVirus\Quarantine\23180112.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\232878BC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\23AC00E6.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\25680062.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\262F399F.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\26B72AAB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\27881AB3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\28917D07.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\28B678D1.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\29914CFF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2A901CF7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2AD42B3F.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B196EF3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B8F6CEF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D451CEB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D8D0CDF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F506D4D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31F47D3A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\321A48B7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\323940EF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\324766AA.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33B00F43.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33B418B1.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\344634D0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\355B69EF.exe infected by "Net-Worm.Win32.Protoride.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\39144F36.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\395912EB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3B7961DE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3DD822A9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3E3E18B0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3FD670CE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3FD903D4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40352132.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\407A64E7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\41B777F4.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\41E86916 infected by "Net-Worm.Win32.Padobot.h" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4373776F.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\44077743.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\449B7717.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\454D095A infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\46577693.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4755732E.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\47A1566E.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\49685EA7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\49CE54AF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\49D23F55.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4B672CCD.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4C433716.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4E2775DF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4F2645D7.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\502515CF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\512565C6.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\522435BE.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\531E3A95.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\532305B6.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\53637E4A.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\53CA4AFF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\555E10AD.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\56F768CC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\575D5ED3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\582A6CF6.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5A3F0C91.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5A4C7E3F infected by "Trojan-Spy.Win32.GhostKeyLogger.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5A845046.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5FF23F90.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\60EF4CAC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\615F5E8D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\61A42242.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\62ED1AD2.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\641A5BDC.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\64526186.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\67134513.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\687F3089.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68C4743D.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\69116503.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6B0F04F3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6C1B3421.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6C7F08AB.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6D0E24E3.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6E0D74DA.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6E7E56D0.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6FA00285.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\707A5617.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7258348C.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\75C87673.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\780F44A9.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\784328B1.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7A0E12CF.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7CA34AA8.exe infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File D:\Documents and Settings\Savina\Desktop\pumpkinpatch01.exe tagged as "not-a-virus:AdWare.Win32.Quick.a". Action Taken: No Action Taken.
File D:\Documents and Settings\Savina\Desktop\wcfautumnwoods.exe tagged as "not-a-virus:AdWare.Win32.Quick.a". Action Taken: No Action Taken.
File D:\Documents and Settings\Savina\Desktop\wcfgoldenwoods.exe tagged as "not-a-virus:AdWare.Win32.Quick.a". Action Taken: No Action Taken.
File D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\comet.exe tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\csctx.dll tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\cseng.dll tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\csip.dll tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet\Bin\skinui.dll tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\RECYCLER\NPROTECT\00000000. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File D:\RECYCLER\NPROTECT\00000001. infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
File D:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP618\A0153213.dll tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP618\A0153214.dll tagged as "not-a-virus:AdWare.Win32.Comet.w". Action Taken: No Action Taken.
File D:\WINDOWS\system32\cmd.ftp infected by "Trojan-Downloader.BAT.Ftp.cq" Virus! Action Taken: No Action Taken.
File C:\hp\bin\KillWind.exe tagged as not-a-virus:RiskTool.Win32.PsKill.p. No Action Taken.
wordsmith
2006-09-23, 07:54
sorry to have posted the whole infected list again, but i didn't know where
the partial one i sent you ended, so i didn't want to miss anything.
like i said before, i have a presario (c:) drive, a local disk (d:) drive and a PRESARIO_RP (E:) drive...do i need to run the MWAV & WINDPFIND scans for each of the drives?? MWAV took a total of 21 hours for my c: drive...i will if i need to - just please let me know.
i'll run the WINDPFIND tonight when i go to bed & i'll post the log tomorrow...
also, lately my outlook has been hanging up & it says that some program won't let it close...i've been checking my windows task manager for any strange programs lately & i noticed a few i haven't noticed before...i don't remember what the others are, but one is called OEHOOK.exe....i didn't see it on the MWAV scan...
thank you again for the help!
have a good weekend!
how is it with the winpfind report ?
in the meanwhile i suggest emptying nortons quarantine
wordsmith
2006-10-01, 00:37
how do i empty nortons' quarantine? is it possible for quarantined items to still be used by remote systems?
sorry - i'll post the winpfind list here tomorrow... thank you!!
hi
no, items in nortons quarantine are locked, and not available
open NAV, > manage quarantine> empty it ( delete all items )
there were signs of malware, but those seem to be mostly leftovers. the winpfind log will reveal if any of those are active..
wordsmith
2006-10-02, 06:30
hi,
i'm going to have to post the log in a few messages since it's so long, but i have a question - we've been checking my c drive, but i have another drive, a d drive - a friend of mine installed it for me after my old computer crashed. should i run these scans on those drives also? thank you! here's log 1st part of the log:
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 10/1/2006 8:23:05 PM
WinPFind v1.5.0 Folder = C:\WinPFind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! 8/28/2004 8:20:58 PM 121143984 C:\pain shop pro 8.exe (Jasc Software Inc )
WSUD 8/28/2004 8:20:58 PM 121143984 C:\pain shop pro 8.exe (Jasc Software Inc )
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
PECompact2 8/22/2006 4:45:04 PM 21786153 C:\WINDOWS\LPT$VPN.675 ()
qoologic 8/22/2006 4:45:04 PM 21786153 C:\WINDOWS\LPT$VPN.675 ()
SAHAgent 8/22/2006 4:45:04 PM 21786153 C:\WINDOWS\LPT$VPN.675 ()
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll ()
UPX! 8/22/2006 4:45:08 PM 176709 C:\WINDOWS\tsc.exe (Trend Micro Inc.)
PECompact2 8/22/2006 4:45:04 PM 21786153 C:\WINDOWS\VPTNFILE.675 ()
qoologic 8/22/2006 4:45:04 PM 21786153 C:\WINDOWS\VPTNFILE.675 ()
SAHAgent 8/22/2006 4:45:04 PM 21786153 C:\WINDOWS\VPTNFILE.675 ()
UPX! 8/22/2006 4:45:06 PM 1077328 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
aspack 8/22/2006 4:45:06 PM 1077328 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
Checking %System% folder...
WSUD 9/20/2004 4:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
UPX! 2/26/2005 2:01:40 PM 174080 C:\WINDOWS\SYSTEM32\ExMenu.dll (Exontrol Inc.)
UPX! 2/26/2005 2:01:38 PM 113152 C:\WINDOWS\SYSTEM32\ExPMenu.dll (Exontrol Inc.)
UPX! 2/26/2005 2:01:40 PM 202240 C:\WINDOWS\SYSTEM32\ExTab.dll (Exontrol Inc.)
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2 9/11/2006 10:37:22 AM 8960936 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 9/11/2006 10:37:22 AM 8960936 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)
Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/1/2006 8:21:48 PM S 2048 C:\WINDOWS\bootstat.dat ()
9/27/2006 7:37:12 PM H 54156 C:\WINDOWS\QTFont.qfn ()
8/21/2006 6:00:10 AM S 11749 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922582.cat ()
9/18/2006 7:40:26 AM S 8847 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB925486.cat ()
10/1/2006 8:21:40 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
10/1/2006 8:22:14 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
10/1/2006 8:21:50 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
10/1/2006 8:22:16 PM H 86016 C:\WINDOWS\system32\config\software.LOG ()
10/1/2006 8:21:56 PM H 1085440 C:\WINDOWS\system32\config\system.LOG ()
9/14/2006 5:43:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG ()
8/21/2006 5:10:46 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 ()
9/30/2006 10:11:46 AM S 14760 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\6C68A73125F3238F044A8115D96841B6 ()
9/20/2006 9:01:34 AM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C ()
9/30/2006 10:11:30 AM S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1 ()
8/21/2006 5:10:46 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 ()
9/30/2006 10:11:46 AM S 132 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\6C68A73125F3238F044A8115D96841B6 ()
9/20/2006 9:01:34 AM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C ()
9/30/2006 10:11:30 AM S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1 ()
8/7/2006 9:05:14 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\d3c3b4cf-f00f-4487-9651-dfe5a054f679 ()
8/7/2006 9:05:14 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
8/11/2006 11:09:52 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\f76bf291-0646-4d01-bef3-c2509675a78d ()
8/11/2006 11:09:52 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
10/1/2006 8:19:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()
Checking for CPL files...
8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
9/20/2004 4:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
4/7/2003 7:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl (Intel Corporation)
5/26/2003 5:12:14 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl (Ahead Software AG)
8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/19/2003 2:56:00 AM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl (NVIDIA Corporation)
8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
2/17/2004 6:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
4/7/2003 7:14:30 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl (Intel Corporation)
2/17/2004 6:49:14 AM 14193152 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
Checking for Downloaded Program Files...
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - HouseCall Control - CodeBase = http://housecall60.trendmicro.com/housecall/xscan60.cab
{08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM - CodeBase = https://www.topproduceronline.com/downloads/msjavx86.exe
{09C6CAC0-936E-40A0-BC26-707480103DC3} - shizmoo Class - CodeBase = http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - YInstStarter Class - CodeBase = http://download.yahoo.com/dl/installs/yinst0401.cab
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{644E432F-49D3-41A1-8DD5-E099162EEEC5} - Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} - HouseCall Control - CodeBase = http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
{8569D715-FF88-44BA-8D1D-AD3E59543DDE} - ActiveReports Viewer2 - CodeBase = https://www.topproduceronline.com/Downloads/arview2.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{B9191F79-5613-4C76-AA2A-398534BB8999} - YAddBook Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - Java Plug-in 1.4.2_05 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - Java Plug-in 1.5.0_05 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
{F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} - iPIX Media Send Class - CodeBase = http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
JT's Blocks - - CodeBase = http://download.games.yahoo.com/games/clients/y/blt1_x.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
Yahoo! Spelldown - - CodeBase = http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
Yahoo! Towers 2.0 - - CodeBase = http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
Yahoo! Word Racer - - CodeBase = http://download.games.yahoo.com/games/clients/y/wt1_x.cab
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
8/17/2004 10:06:52 PM 1971 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()
8/21/2006 6:34:44 PM 1810 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
10/11/2003 3:16:08 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
8/17/2004 7:22:50 PM 571 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk ()
10/11/2003 4:31:20 AM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ()
8/24/2006 12:47:36 PM 673 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PayPal Plug-In for Outlook Express.lnk ()
10/11/2003 5:16:42 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk ()
Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/10/2003 8:10:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
10/11/2003 4:35:18 AM 534 C:\Documents and Settings\All Users\Application Data\hpzinstall.log ()
Checking files in %USERPROFILE%\Startup folder...
10/11/2003 3:16:08 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ()
10/14/2003 6:35:06 AM 817 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk ()
Checking files in %USERPROFILE%\Application Data folder...
10/10/2003 8:10:12 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini ()
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
>>> Internet Explorer Settings <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.comcast.net/
\\Search Page -
\\Local Page - %SystemRoot%\system32\blank.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Local Page - C:\WINDOWS\system32\blank.htm
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
\{BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F} - &Discuss = shdocvw.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
wordsmith
2006-10-02, 06:31
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = Sun Java Console
\\NEXTID - 8201
\\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - 8193 =
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8194 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8196 = Windows Messenger
\\{669B269B-0D4E-41FB-A3D8-FD67CA94F646} - 8197 =
\\{8828075D-D097-4055-AA02-2DBFA9D85E8A} - 8198 =
\\{97809617-3937-4F84-B335-9BB05EF1A8D4} - 8199 =
\\{85d1f590-48f4-11d9-9669-0800200c9a66} - 8200 = Uninstall BitDefender Online Scanner v8
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{669B269B-0D4E-41FB-A3D8-FD67CA94F646} - ButtonText: ComcastHSI = http://www.comcast.net/ ()
\{85d1f590-48f4-11d9-9669-0800200c9a66} - MenuText: Uninstall BitDefender Online Scanner v8 = ()
\{8828075D-D097-4055-AA02-2DBFA9D85E8A} - ButtonText: Support = http://www.comcastsupport.com/ ()
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research =
\{97809617-3937-4F84-B335-9BB05EF1A8D4} - ButtonText: Help = http://online.comcast.net/help/ ()
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{DEE12703-6333-4D4E-8F34-738C4DCC2E04} - RecordNow! SendToExt = c:\Program Files\RecordNow!\shlext.dll (Sonic Solutions)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{7F67036B-66F1-411A-AD85-759FB9C5B0DB} - SampleView = C:\WINDOWS\System32\ShellvRTF.dll (XSS)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation)
\\{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
\\{A4DF5659-0801-4A60-9607-1C48695EFDA9} - Share-to-Web Upload Folder = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL (Hewlett-Packard)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\TheCleaner - {2DE506B9-4320-11d3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll (MooSoft Development)
\Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]
[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\TheCleaner - {2DE506B9-4320-11D3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll (MooSoft Development)
[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\System32\igfxpph.dll (Intel Corporation)
[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\TheCleaner - {2DE506B9-4320-11D3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll (MooSoft Development)
>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)
>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv - c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
HotKeysCmds - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
HPHUPD05 - c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe ()
HPHmon05 - C:\WINDOWS\System32\hphmon05.exe (Hewlett-Packard)
KBD - C:\HP\KBD\KBD.EXE (Hewlett-Packard Company)
UpdateManager - C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
Recguard - C:\WINDOWS\SMINST\RECGUARD.EXE ()
VTTimer - C:\WINDOWS\SYSTEM32\VTTimer.exe (S3 Graphics, Inc.)
ccApp - c:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
LTMSG - C:\WINDOWS\LTMSG.exe (Agere Systems)
PS2 - C:\WINDOWS\system32\ps2.exe (Hewlett-Packard Company)
ccRegVfy - c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe (Symantec Corporation)
NeroCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
HPDJ Taskbar Utility - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe (HP)
Share-to-Web Namespace Daemon - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
tcactive - C:\Program Files\The Cleaner\tca.exe (MooSoft Development)
tcmonitor - C:\Program Files\The Cleaner\tcm.exe (MooSoft Development)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RecordNow! - Reg Data missing or invalid ()
NVIEW - C:\WINDOWS\SYSTEM32\rundll32.exe (Microsoft Corporation)
Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe (Symantec Corporation)
Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe (Yahoo! Inc.)
MoneyAgent - C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe (Broderbund Properties LLC)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PayPal Plug-In for Outlook Express.lnk - C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe (A1-Technology)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe (interMute, Inc.)
>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
wordsmith
2006-10-02, 06:31
[All Users Startup Folder Disabled Items]
[Current User Startup Folder Disabled Items]
>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -
>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]
>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d
>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)
>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)
>>> DNS Name Servers <<<
{10A3CF4F-5989-4267-BD20-2FF788D5EE2A} - (Linksys Wireless-B USB Network Adapter v2.8)
{2C0AE951-2323-4604-83D8-D9FC5A43ECB4} - (Linksys Wireless-B USB Network Adapter v2.8)
{7B2FAAE3-1C21-4CD0-B861-8F5C172DAE44} - (1394 Net Adapter)
{BA2AB463-5919-4669-A7F4-A397D431C3AB} - ()
{E8FC57F0-A3C5-4566-B0AF-580A5AA907AC} - (VIA Rhine II Fast Ethernet Adapter)
>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]
>>> Selected AddOn's <<<
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
wordsmith
2006-10-02, 06:37
also, in my system folder, i saw that there were some files that say Exontrol Inc. - i found a page on symantec that say it's the TrueActive Monitor keylogger. here's the page:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091314-3710-99&tabid=1
wordsmith
2006-10-02, 10:26
in my "all winsock2 catalogs" area, there's an entry called:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
i looked on symantec & it said that it's related to trojan.redfall
here's the symantec page:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-101217-0310-99&tabid=3
and this file: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs] is listed on symantec as the WORM_STRATION.BB
here's the page on that one:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-091012-5303-99&tabid=1
the file: \\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (under the heading "shared task scheduler") is listed with symantec as being W32.Dinoxi.B
here's its symantec page: http://www.symantec.com/security_response/writeup.jsp?docid=2005-121100-2605-99&tabid=2
i don't know if any of this info helps you, but i figured it wouldn't hurt to give you the info.
i don't remember which file it was connected to on my log, but i also found W32.Mydoom.G@mm
here's the symantec page:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-030213-0918-99&tabid=2
and Backdoor.Sedepex
symantec page:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-103109-2236-99&tabid=3
and the file: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping] is listed as being Adware.Sidefind, which comes bundled with Trojan.ISTsvc
IS IT POSSIBLE TO HAVE THIS MANY TROJANS & WORMS ON MY COMPUTER???
and the SAHAGENT files are Trackware.SAHAgent
here's the symantec page:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-110817-3117-99
okay, wait a minute - there are just so many that i can't possibly have this much malware on my computer, can i??? my old roommate used to download music onto my computer all the time on kazaa....it was tagged a few months ago by one of my anti-spyware programs & one of the files was deleted, so it doesn't work anymore, but i haven't uninstalled it. i'm going to do that right now....
those are perfectly normal windows reg values which are modified by malware. none of those are there.
the scans picked up some malware files, but none of those seem to be active.
i'll post some suggestions later when i get back from work
wordsmith
2006-10-02, 21:04
okay great....the csrss.exe file is active on my computer all the time, if that matters...
so none of the malware is active then? so i shouldn't worry about the ports that are active?
c:\windows\system32\csrss.exe is = client server runtime sub system by microsoft, a vital component of wimdows xp/2000 operation systems
the exontrol files are listed because those are upx packed, but those are not listed anywhere as loaded dlls
i would like to take a look at some files there if possible.
namely these:
C:\WINDOWS\SYSTEM32\ExMenu.dll
C:\WINDOWS\SYSTEM32\ExPMenu.dll
C:\WINDOWS\SYSTEM32\ExTab.dll
could you scan them at http://virusscan.jotti.org
scan the one at a time, post results here thank you
as far as opened ports go, the key is to disable unnecessary services and programs.. when the programs/services opening the ports are closed the port will close too
wordsmith
2006-10-04, 08:10
okay, here are the results of the scan:
File: ExMenu.dll
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 dc1771f3a59641b0f0bfb774b0730bd1
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
____________________________________________________
File: ExPMenu.dll
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 640da7a6c1da1d2a525d98c8ff32e46a
Packers detected:
UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
_____________________________________________________
File: ExTab.dll
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 6363a268deb0a5310904b6041173ce30
Packers detected:
UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
____________________________________________________
also, you mentioned 2 things that i have questions about:
1. you said that, regarding the open ports, i should disable unnecessary services & programs. how do i do that?
2. you said that some of the files were malware that doesn't seem to be active. can i get rid of the malware anyway, just so that it can never be activated?
thank you!!
wordsmith
2006-10-04, 08:18
RMAgentOutput.dll
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 d5ed81b5764e618d99a627df4e49de2c
Packers detected:
UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
ok, could you send me the files for closer examination:
RMAgentOutput.dll
C:\WINDOWS\SYSTEM32\ExMenu.dll
C:\WINDOWS\SYSTEM32\ExPMenu.dll
C:\WINDOWS\SYSTEM32\ExTab.dll
D:\WINDOWS\system32\cmd.ftp
zip them up, then send them as attachment to
illukka AT malware-research.co.uk
remove the spaces from the addy and replace AT with @ :)
i'll take a look at them
put a link to this thread in your message so i know where its from :)
as for the malware files:
locate and delete these
D:\Documents and Settings\Savina\Desktop\pumpkinpatch01.exe<<--delete this file
D:\Documents and Settings\Savina\Desktop\wcfautumnwoods.exe<<--delete this file
D:\Documents and Settings\Savina\Desktop\wcfgoldenwoods.exe<<--delete this file
D:\Local Disk (F)\WINDOWS2\SYSTEM\Comet<<--delete this folder
D:\WINDOWS\system32\cmd.ftp<<--delete this file
for the malware registry entries mentioned in the mwaw log i suggest running a scan with spybot and adaware
allow spybot to fix reditems, and for adaware allow it to fix all critical items
wordsmith
2006-10-05, 00:28
okay great, i deleted those files....also, the cmd.ftp file - there's one that's right next to it that's cmd.exe & it says it's "windows command processor" - should i delete that one also or leave it alone?
i'll e-mail those files over to you now...
cmd.exe is an important operation system file
edit: no attachment ?
wordsmith
2006-10-05, 19:40
sorry!! i'm re-sending that to you now.:oops:
i could find anything malicious in them, also sent them to some av analysts, havent heard back..
are there still problems ?
wordsmith
2006-10-12, 08:57
hi,
well, i guess that's comforting...there isn't really anything happening except when i turn off my windows firewall. when i turn that off, i get a barrage of notifications saying that a remote system is trying to access my computer. i've only turned it off a couple of times to follow the steps you've given me...i leave it on all the time otherwise and haven't gotten any alerts recently. i'll run another scan to see what ports are open - but i don't know if that'll help much since i don't know how to close them or what programs are using them in the first place...
hopefully if there is some malware, the windows firewall is blocking the remote controller from being able to make it active...i'll post the .txt file with my port scan here tomorrow (thursday)...thank you again for all of your help!!
How is it going wordsmith. :)
wordsmith
2006-10-21, 04:31
hi tashi,
i think everything's okay - i haven't gotten any notices...but i'm still a little nervous since i kept getting those notices that someone was trying to access my computer. i guess i'll keep an eye on things and let you guys know if anything new comes up. thank you for the help - it's greatly appreciated!!!
Thank you for letting us know wordsmith. :cool:
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.